# Priority Group Detail Pages # Option 1.1 | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.1 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization ---- | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html), [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) | [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) | ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.2 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) | [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) | ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.3 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) | | # Option 1.2 ## ID# 1.1 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html), [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) | [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) | ## ID# 1.2 | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.2 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) | [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) | ## ID# 1.3 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | MITRE References | Sources | HOW TO | | -------- | -------- | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html), [M1032](https://attack.mitre.org/mitigations/M1032/) | [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) | TBD | # Option 2.1 | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.1 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) | [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) | | HOW TOs | | -------- | [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) | ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.2 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) | HOW TOs | | -------- | [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) | ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.3 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) | HOW TOs | | -------- | | TBD | # Option 2.2 ## ID# 1.1 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) | [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) | | HOW TOs | | -------- | [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) | ## ID# 1.2 | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.2 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) | HOW TOs | | -------- | [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) | ## ID# 1.3 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | MITRE References | | -------- | | [CWE-308](https://cwe.mitre.org/data/definitions/308.html) | | [M1032](https://attack.mitre.org/mitigations/M1032/) | Sources | | -------- | | [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) | HOW TOs | | -------- | | TBD | # Option 3.1 | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.1 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Sources** * [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) * [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) * **HOW TO** * [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.2 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) * **HOW TO** * [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) ---- | ID | I | A | R | Category | Guideline | | --- | - | - | - | -------- | --------- | | 1.3 | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) * **HOW TO** * TBD # Option 2.2 ## ID# 1.1 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Sources** * [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) * [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) * **HOW TO** * [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) ## ID# 1.2 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) * **HOW TO** * [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) ## ID# 1.3 | I | A | R | Category | Guideline | | - | - | - | -------- | --------- | | E | E | E | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) * **HOW TO** * TBD # Option 3.1 | ID | Category | Guideline | | --- | -------- | --------- | | 1.1 | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Sources** * [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) * [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) * **HOW TO** * [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) | ID | Category | Guideline | | --- | -------- | --------- | | 1.2 | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) * **HOW TO** * [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) | ID | Category | Guideline | | --- | -------- | --------- | | 1.3 | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) * **HOW TO** * TBD # Option 3.2 ## ID# 1.1 | Category | Guideline | | -------- | --------- | | User Authentication | Multi Factor Authentication (MFA) Enforced Across the Github Organization | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Sources** * [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) * [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) * **HOW TO** * [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) ## ID# 1.2 | Category | Guideline | | -------- | --------- | | User Authentication | Multi Factor Authentication (MFA) Enforced Across the npm Organization | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) * **HOW TO** * [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) ## ID# 1.3 | Category | Guideline | | -------- | --------- | | User Authentication | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | Incubating | Active | Retired | | - | - | - | | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) * **HOW TO** * TBD # Option 3.3 # Priority Group 1 ID | Guideline | In | AL&I | Ar | | :-: | - | :-: | :-: | :-: | | UA:MFG | Multi Factor Authentication (MFA) Enforced Across the Github Organization | E | E | E | | UA:MFN | Multi Factor Authentication (MFA) Enforced Across the npm Organization | E | E | E | | UA:MFO | Multi Factor Authentication (MFA) Enforced in All Tools Wherever Techncially Feasible | E | E | E | | UA:MFI | Use Multi Factor Authentication (MFA) Methods that Defend Against Impersonation when Available | E | E | E | ### Multi Factor Authentication (MFA) Enforced Across the Github Organization | ID | Category | Incubating | At Large & Impact | Archived | | :-: | :-: | :-: | :-: | :-: | | UA:MFG | User Authentication | Expected | Expected | Expected | Additional descriptive text here. * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Sources** * [OpenSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/github/enterprise/enterprise_enforce_two_factor_authentication.html) * [OpenSSF Best Practices Badge Gold Level [require_2FA]](https://www.bestpractices.dev/en/criteria#2.require_2FA) * **HOW TO** * [GitHub Docs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization) ---- ### Multi Factor Authentication (MFA) Enforced Across the npm Organization | ID | Category | Incubating | At Large & Impact | Archived | | - | - | - | - | - | | UA:MFN | User Authentication | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [OpenSSF npm Best Practices](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md) * **HOW TO** * [npm Docs](https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization) --- ### Multi Factor Authentication (MFA) Enforced in Other Tools Wherever Techncially Feasible | ID | Category | Incubating | At Large & Impact | Archived | | - | - | - | - | - | | UA:MFO | User Authentication | Expected | Expected | Expected | * **MITRE References** * [CWE-308](https://cwe.mitre.org/data/definitions/308.html) * [M1032](https://attack.mitre.org/mitigations/M1032/) * **Source** * [CNCF CNSWP v1.0](https://github.com/ossf/package-manager-best-practices/blob/main/published/npm.md](https://github.com/cncf/tag-security/blob/main/security-whitepaper/v2/cloud-native-security-whitepaper.md)) * **HOW TO** * TBD