Question: Is MFA agency size specific or for all agencies?
Answer: All agencies of any size.

Question: For limited exemption agencies, do they need to comply by 11/1/24?
Answer: Yes.

Question: For NY, does MFA need to be used every single time you log on? Can you have a “trusted device”?
Answer: The regulation does not make an explicit exception for trusted devices.

Question: Does MFA need to be set up on everything they sign in to, or just the PC?
Answer: For limited exempt agencies, MFA must be used for:

“(1) remote access to the covered entity’s information systems;

(2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and

(3) all privileged accounts other than service accounts that prohibit interactive login.” A privileged account is essentially a system administrator account.

If you can log in remotely using your phone or a tablet, you must use MFA on that device.

The text of that section of the regulation can be found at https://www.law.cornell.edu/regulations/new-york/23-NYCRR-500.12.

If an entity does not qualify for the limited exemption, the regulation states, “Multi-factor authentication shall be utilized for any individual accessing any information systems of (the) covered entity …” This would apply inside or outside the office. Whenever an individual accesses the agency’s computer system, the system must be configured for MFA.