Cyber & IT Supervisory Forum - November 2023

Internal Use Only

R ‐ SAT v. 2.0: Question 13

NEW: New question. Now addresses whether application ‐ based or phishing ‐ resistant MFA methods are being applied (per CISA guidance); provided examples of stronger authentication methods

15

Internal Use Only

R ‐ SAT v. 2.0: Question 13 (continued)

NEW: New sub ‐ question. Asks where/how MFA is used. Added multiple new considerations for PAM, access to external apps hosting NPI, vendor access into networks, internal service accounts, and customers accessing NPI. Added “Other” field for capture of other areas of implementation not listed. Added field for capture of areas where MFA implementation is not planned or has been deferred.

16