Based on its risk assessment, each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems.

(b) Multi-factor authentication shall be utilized for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.