Multi-factor authentication policy: enforcement intent
This page summarises the compliance and enforcement timescale anticipated for the multi-factor authentication (MFA) policy.
Expectations
The policy has immediate effect on publication and organisations should make every reasonable effort to comply as soon as practicable.
The Joint Cyber Unit recognises that a full-scale deployment of MFA across an organisation may take time, and enforcement action will not be taken unreasonably. However, many organisations in scope of the policy have already for several years been subject to a requirement through the Data Security and Protection Toolkit (DSPT) to use MFA 'wherever technically feasible'.
Organisations will be expected to demonstrate not later than 29 February 2024 that they have plans in place to achieve full compliance with the policy by 30 June 2024.
Determination of compliance
Compliance will be determined in the first instance through DSPT submissions, including interim baseline submissions due 29 February 2024.
Information notices may also be issued under the Network and Information Systems Regulations 2018 to determine compliance where DSPT submissions are incomplete, unclear or do not apply to a particular organisation.
Summary
| Stage | Actions | Expected not later than |
|---|---|---|
| Policy takes effect | Immediately on publication | |
| Compliance check |
Organisations are to provide to the National Chief Information Security Officer either:
All DSPT ‘Category 1’ organisations should provide this information through an interim DSPT submission. Other organisations should provide this information to the NIS mailbox – [email protected]. |
29 February 2024 |
| Compliance |
Organisations are to provide to the National Chief Information Security Officer:
All DSPT ‘Category 1’ organisations should provide this information through their DSPT submission for 2023-24. Other organisations should provide this information to the NIS mailbox – [email protected]. |
30 June 2024 |
Last edited: 7 May 2024 5:58 pm