3.3.1 Application administrative interface MFA is missing evidence

[mikewhiteman]

Issue It looks like we're missing required L1 / L2 evidence for the following requirement:

3.3.1 Application administrative interfaces shall use appropriate multi-factor authentication

Recommendation Based on our last feedback round, we had suggested requesting documentation evidence for both L1 and L2 levels since this isn't likely going to be directly testable by the labs.