Do CIS benchmarks enforce constraints such as "require MFA for all users and roles"?

CIS (Center for Internet Security) benchmarks are established guidelines and best practices aimed at improving the security posture of IT systems. They provide a framework for securing various services and applications but do not enforce specific security controls like Multi-Factor Authentication (MFA) directly.

The benchmarks lay out recommendations and configurations that organizations can implement, but adherence to these recommendations relies on the organization itself to develop policies and procedures to enforce security best practices. Therefore, CIS benchmarks will suggest that MFA should be considered as part of a broader security strategy, especially for protecting sensitive data and access points. However, they do not impose any constraints, such as requiring MFA for all users and roles.

This understanding separates the guidance provided by the benchmarks from mandatory enforcement, which must be accomplished through organizational policies and security controls implemented by the organization, making it clear that the benchmarks serve as recommendations rather than enforcement mechanisms.