SECURITY PROGRAM // ACTIVE ENGAGEMENT

MFA Enforcement

2026-03-15 // V1.0

IMPL

IMPLEMENTATION_RECORD

MFA Enforcement

Multi-factor authentication enforcement across all identity providers. Hardware-backed FIDO2/WebAuthn required for all administrative access. Legacy authentication protocols blocked.

QUICKSTARTDEPLOYED // STABLEIaC // TERRAFORM

SERVICEMFA Enforcement

PACKAGEQUICKSTART

DEPLOYED2026-03-15

STATUSDEPLOYED // STABLE

THREAT_VECTOR //

Credential theft via phishing is the most common initial access vector — this control makes a stolen password alone insufficient to compromise any account.

DEPLOYMENT_CHECKLIST

MFA enrolled for 100% of active accountsPASS

Phishing-resistant MFA for all admin accountsPASS

Legacy auth connections blockedPASS

Break-glass account created and vaultedPASS

Conditional access policies enforcedPASS

CONFIGURATION

SETTING	VALUE
MFA Provider	Google Workspace 2-Step Verification
Policy Scope	All active users
Admin MFA Type	Security Key (FIDO2)
Legacy Auth	Blocked
Session Timeout	8 hours (user) / 1 hour (admin)

FRAMEWORK_MAPPING

SOC_2_READINESSTRUST SERVICES CRITERIA SATISFIED

CC6.1Logical access security infrastructure protecting authentication systems

CC6.2Authorized user registration and credential provisioning controls

CC6.3Access modification and removal based on approved requests

These controls form part of the evidence base for your SOC 2 Type II audit.

NIST_CSFSECURITY FRAMEWORK FUNCTION

ProtectImplement safeguards to limit the impact of potential events

BASELINE_DELTA

BEFORE // BASELINE STATE

No MFA policy enforced org-wide
Admin accounts protected by password only
Legacy authentication protocols (SMTP AUTH, IMAP) permitted
No break-glass account documentation
No visibility into MFA coverage

AFTER // CURRENT STATE

100% of accounts require MFA at every login
Admin accounts require phishing-resistant MFA (Security Key/FIDO2)
Legacy auth protocols blocked — password-only access paths eliminated
Break-glass account created, vaulted, and alert-monitored
Monthly MFA coverage report: 18/18 accounts (100%)

CURRENT_HEALTH

ADMIN_PHISHING-RESISTANT_MFA100%TARGET: 100%

BREAK-GLASS_ACCOUNT_INTEGRITY✓TARGET: ✓

LEGACY_AUTH_CONNECTIONS_PERMITTED0TARGET: 0

MFA_ENROLMENT_RATE100%TARGET: 100%

DATA_SOURCE // MONTHLY SECURITY REPORT // MARCH 2026

CONTROL_HISTORY

March 2026MONTHLYEngineering Progress & Risk Mitigation Report

VIEW →

January 2026MONTHLYEngineering Progress & Risk Mitigation Report

VIEW →

February 2026MONTHLYEngineering Progress & Risk Mitigation Report

VIEW →

EVIDENCE_REFERENCES

ARTIFACT	TYPE	LOCATION	REF	DATE	WHAT THIS PROVES
Break-glass Account Setup	SCREENSHOT	Google Admin Console	gws-mfa-2026-03-15.svg	2026-03-15	Proves a documented emergency access process exists with appropriate monitoring, as required by access control criteria	VIEW
MFA Policy Configuration	TERRAFORM	https://github.com/ThreatUnknown/meridian-security-baseline	PR #14 — gws-mfa-policy.tf	2026-03-15	Proves MFA enforcement was implemented via code, not manually configured — provides reproducible, auditable proof of policy state	VIEW
Terraform Plan Output	TERRAFORM	https://github.com/ThreatUnknown/meridian-security-baseline	pr-14-terraform-plan.txt	2026-03-15	Confirms no unauthorised drift from declared configuration at time of implementation	VIEW

MFA Enforcement — Implementation Record

MFA Enforcement

MFA Enforcement

DEPLOYMENT_CHECKLIST

CONFIGURATION

FRAMEWORK_MAPPING

BASELINE_DELTA

CURRENT_HEALTH

CONTROL_HISTORY

EVIDENCE_REFERENCES