Diagnose / detail

ACME Corp

critical

MFA not enforced for privileged cloud access

A single phished admin = card-data + PHI access. This is the control PCI and FedRAMP assessors test first.

PCI-DSS →FedRAMP →NIST CSF → Gap — no enforcement evidence for 6 privileged roles

Root cause

Phishing-resistant MFA is enforced for the workforce SSO but not for the break-glass cloud-admin roles or the CI/CD service principals — the exact accounts that reach card data and PHI.

Business impact

A single phished or replayed admin credential is full-blast: card-data environment + PHI store, simultaneously. It is the first control a PCI QSA and a FedRAMP assessor test, and an open finding here caps three frameworks at once.

Mapped controls

NIST PR.AA-03

Fails while this gap is open

PCI R8.4

Fails while this gap is open

FedRAMP IA-2(1)

Fails while this gap is open

Drives loss scenarios

Ransomware

ALE $1.8M · Open

Open →

The fix

Closes this gap

Enforce phishing-resistant MFA on all privileged + cloud-admin roles

~1 week · Cloud Platform · satisfies 3 frameworks

Open action →