Centrify for NIST 800-171 MFA Compliance

March 14, 2018

I often speak with Federal System Integrators (FSIs) who need to implement Multi-Factor Authentication (MFA) as part of their NIST 800-171 compliance.

Specifically section 3.5.3 of this NIST guide states, “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”

Many of these FSIs have already implemented smart cards in their environment, at least partially, while others have no form of MFA at all. Either way, the Centrify Identity Platform can provide this MFA compliance, along with many other features required for a secure, Zero Trust environment.


(Centrify’s detailed compliance note on NIST 800-171 can be found here )

For those FSIs already using smart cards on their Windows desktops for standard login, the path towards 800-171 compliance involves requiring MFA when a standard account needs to perform specific privileged functions.

The Centrify agent for Windows can allow standard users to raise their privilege to run specific applications, while also requiring the user to authenticate with their smart card PIN before this privilege is granted. Additionally Centrify has agents for Macs and Linux desktops that can require smart cards for login.

For those FSIs not already using smart cards but who want to, Yubikeys can be a great choice. Alternatively for those who don’t want to implement a hardware token, many FSIs will use other MFA factors like the Centrify Mobile Authenticator. This Mobile Authenticator can be used for MFA for Windows and Linux machines, both at the desktop login as well as for privilege elevation.

For those FSIs that work within a SCIF and don’t have access to a mobile phone, there are other MFA options available like email and computerized phone calls that require a pin.

The bottom line is this: If you’re an FSI who needs to implement MFA as part of your NIST 800-171 compliance, the Centrify Identity Platform provides exactly what you’re looking for plus a whole lot more.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.