PUBLISHED DATE: 30 October 2025
Intent of this Standard
Organisations have a duty of care to ensure their critical and sensitive information is adequately protected and that requests to access, modify, transmit, or delete information are to authorised personnel only.
It is important that organisations have put in place appropriate multi-layered preventive and protective measures, beyond conventional username and password authentication requirements. This will further bolster resilience levels, should the first level of authentication be compromised.
Authentication factors can be broadly defined as having the following attributes and characteristics:
- Knowledge factor
- Possession factor
- Inherence factor
MFA verifies a user’s identity using multiple credentials, which may be of the same factor or type.
Minimum capability maturity level
We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.
Cyber Security Capability Maturity Model
The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.
Each maturity level builds on the requirement from the preceding level.
Below are the requirements for each capability maturity level for this Standard.
-
CMM 4 Quantitively Controlled
- MFA is required for all entities and applied across all systems.
- All successful and unsuccessful MFA authentication logs are retained and reviewed.
-
CMM 3 Standardised
- MFA is used when users authenticate to externally facing systems, business-critical systems, and for core network access.
- MFA is required to be used by privileged users and cannot be bypassed unless within a managed ‘break glass’ scenario.
-
CMM 2 Planned and Tracked
- MFA is used when users authenticate to business-critical and externally facing systems.
- MFA is used by an organisation when authenticating to third-party services.
- Privileged users are required to have MFA, and all unsuccessful MFA authentication logs are retained and reviewed.
-
CMM 1 Informal
- MFA is available on some systems and users are required to enable any MFA themselves.
- No oversight or auditing exists for MFA usage.
Focus areas
Focus areas are applicable to the Standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.
The focus areas for this Standard are:
- Cloud services
- Remote access
- Standard user accounts
- Privileged user accounts
- Core network access.
Suggested actions
The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:
- Organisations undertake an asset classification exercise to identify their business-critical and sensitive systems.
- Organisations decide on an MFA delivery option and costings.
- Where possible, include MFA within the Identity Provider (IdP) platform using Single Sign-On (SSO).
- Training, documentation, support, and user acceptance procedures are developed and delivered.
Key dependencies
To implement this Standard, there are likely to be requisite measures or technologies in place.
A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.
Key dependencies for this Standard include:
- An up-to-date understanding of critical business and internet-facing systems and roles.
- Availability of hardware (for example, organisation-issued key fobs,
YubiKey). - Availability of authenticators (e.g. tokens, smart cards).
- Software (e.g. Google or Microsoft Authenticator).
- Biometrics (e.g. thumbprint, facial recognition).
- Monitoring, logging, and alerting functionality/capability exists.
- User acceptance of user agreements is in place.
- Development and ongoing delivery of user awareness/training material has been created.
Measurable outcomes
To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.
The outcomes have been designed to align with the requirements contained in the maturity level.
Outcomes for this Standard include:
- MFA is implemented for business-critical and internet-facing systems, and for privileged accounts.
- Funding for MFA monitoring, alerting, and operational management is included in budgets.
- Monitoring/logging to track operational performance, or for security-related events, is in place.
- Inventory or asset listing of MFA hardware.
- Evidence of security testing and/or other forms of assurance that the MFA system is secure.
- A lifecycle management process for MFA tokens, including resetting of privileged user tokens, has been developed.
Applicable NZISM controls
The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.
-
Control reference - 16.4.37.C.02.
Agencies MUST use two-factor or Multi-Factor Authentication to allow access to privileged accounts.
CID: 6843
-
Control reference - 16.7.41.C.01.
Agencies MUST undertake a risk analysis before designing and implementing MFA.
CID: 6948
-
Control reference - 16.7.42.C.01.
Where an agency has external facing systems, cloud-based services, or is authenticating to third-party services, they MUST:
- require MFA for all user accounts, and
- implement a secure, multi-factor process to allow entities to reset their standard user credentials.
CID: 7563
-
Control reference - 16.7.42.C.02.
Where an agency has implemented MFA they MUST:
- require MFA for administrative or other high privileged users, and
- implement a secure, multi-factor process to allow entities to reset their standard user credentials.
CID: 6953
-
Control reference - 16.7.42.C.03.
Agencies MUST implement MFA on all user accounts with remote access to organisational resources.
CID: 7564
-
Control reference - 16.7.42.C.04.
Agencies SHOULD implement MFA on all user accounts with access to organisational resources.
CID: 7565
-
Control reference - 16.7.42.C.07.
The design of an agency’s MFA SHOULD include consideration of:
- risk identification,
- level of security and access control appropriate for each aspect of an organisation’s information systems (data, devices, equipment, storage, cloud, etc.),
- a formal authorisation process for user system access and entitlements,
- logging, monitoring and reporting of activity,
- review of logs for orphaned accounts and inappropriate user access including unsuccessful authentication,
- identification of error and anomalies which may indicate inappropriate or malicious activity,
- incident response,
- remediation of errors,
- suspension and/or revocation of access rights where policy violations occur, and
- capacity planning.
CID: 6952
-
Control reference - 16.7.43.C.01.
The design of an organisations MFA system SHOULD be integrated with the agency’s Information Security Policy, the agency’s Privileged Access Management (PAM) Policy, and any additional agency password policies.
CID: 6956
-
Control reference - 16.7.44.C.01.
When agencies’ implement MFA they MUST ensure users have an understanding of the risks and include appropriate usage and safeguards for MFA in the organisation’s user training and awareness programmes.
CID: 6960
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.