Skip to content

Strengthening Identity Integrity and MFA Controls to Prevent Credential Theft

By Team DTS

Identity is the core of modern cybersecurity. Federal frameworks, including NIST SP 800-171 and CMMC, consistently emphasize maintaining traceable, unique identities and enforcing multi-factor authentication (MFA). Strong identity governance reduces the likelihood of unauthorized access and credential compromise.

Establish Unique, Non-Shared User IDs

Clear identity standards ensure accountability. Each user should have a unique identifier that corresponds directly to HR records. NIST requires organizations to prevent shared accounts because they erode traceability. Service accounts should be labeled clearly and prohibited from interactive use to avoid confusion between human and automated activity.

Quarterly access reviews confirm that:

  • User accounts remain valid
  • Permissions align with job roles
  • Anomalies, such as unused or misconfigured accounts, are identified and corrected

These reviews support both operational security and audit readiness.

Enforce Strong MFA Across the Organization

MFA is one of the highest-value safeguards for defending against credential theft. Federal requirements mandate MFA for remote access, administrative access, and access to systems containing sensitive data. Organizations can meet these obligations by:

  • Enforcing MFA through identity provider policies
  • Extending MFA to all users whenever possible
  • Monitoring MFA coverage reports
  • Avoiding unnecessary exemptions, including VIP accounts

Reduce Credential Risk Through Identity and MFA Discipline

Identity-related attacks remain one of the most common threat vectors. Strong identity hygiene significantly reduces risk while requiring minimal operational overhead and MFA provides protection far above its cost and complexity.

Identity integrity and MFA allow organizations to meet federal expectations, reduce exposure to credential-based attacks, and support a repeatable and defensible security program.

Insights provided by the DTS Cybersecurity Team

References

  • Defense Federal Acquisition Regulation Supplement, 48 C.F.R. § 252.204-7012 (2020). Safeguarding covered defense information and cyber incident reporting. https://www.acquisition.gov/dfars
  • Department of Defense. (2014). Department of Defense Instruction 8500.01: Cybersecurity (Change 1, 2019). Office of the Chief Information Officer. https://www.esd.whs.mil
  • National Institute of Standards and Technology. (2020). Protecting controlled unclassified information in nonfederal systems and organizations (NIST Special Publication 800-171 Revision 2). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-171r2
  • National Institute of Standards and Technology. (2020). Assessing security requirements for controlled unclassified information (NIST Special Publication 800-171A). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-171A
  • Office of the Under Secretary of Defense for Acquisition & Sustainment. (2020–2024). Cybersecurity Maturity Model Certification (CMMC) Program Documentation. U.S. Department of Defense. https://dodcio.defense.gov/CMMC

About DTS

Hear from Our Team
Why identity is the first line of defense

In this short video, Aamir explains why most cyberattacks begin with compromised credentials and how strong identity controls—unique user IDs, MFA, and access reviews—reduce risk without adding complexity.

Get DTS Insights

Cybersecurity insights and updates from DTS.

Share this Article
More Insights
  • 8 Essential Data Privacy Practices for Federal Contractors
    Team DTS January 27, 2026

    A clear, actionable guide to protecting sensitive information and preparing for evolving privacy expectations Introduction Data Privacy Week arrives at a time when organizations…

    Read More
  • A Practical Starting Point for CMMC Readiness
    Jamie Repesh November 24, 2025

    CMMC requirements are now being incorporated into Department of Defense (the Department) contracts following the November 10 effective date of DFARS 252.204-7021. With the…

    Read More
  • Reducing Cybersecurity Risk In 2025: Consider A Supply Chain Strategy
    Edward Tuorinsky February 7, 2025

    DTS CEO, Edward Tuorinsky, shares his insights with Forbes Business Council, on reducing cybersecurity risk in 2025: consider a supply chain strategy. Despite increased…

    Read More
  • “Are you certified?” may become the most used phrase in business this year.
    Edward Tuorinsky January 11, 2025

    DTS CEO, Edward Tuorinsky, shares his insights with Intelligent CXO, on a pivotal growth opportunity for businesses in 2025: cybersecurity compliance and supply chain risk…

    Read More
  • Building A Motivated Team: Hiring Advice For The Workforce You Need Next
    Edward Tuorinsky December 26, 2024

    It’s not often that you get business advice from the Pat McAfee Show, but a few weeks ago, college football coaching great Nick Saban…

    Read More
  • Budget Considerations for Cybersecurity
    Edward Tuorinsky December 23, 2024

    We’ve entered an era of new business risk. Our fast-evolving IT landscape comes with even faster-evolving cybersecurity threats. Companies understandably want to protect their…

    Read More
  • Build The Factory: How To Improve Service Employee Retention
    Edward Tuorinsky November 25, 2024

    Since the pandemic, the workforce has experienced volatility and a growing disconnect between employees and their employers. Pay transparency allows employees to shop their…

    Read More
  • Focus on Security: Vetting Your Supply Chain
    Edward Tuorinsky September 9, 2024

    In business, trends often start at the top. The largest companies are the first to adopt new practices, and once they have been refined…

    Read More
  • The CMMC Proposed Rule: Facts and Fiction
    Edward Tuorinsky September 3, 2024

    The CMMC Proposed Rule comes with lots of emotion. To help you separate fact from fiction, we sat down with our CMMC experts and…

    Read More