{
  "controlId": "CC6.1-MFA",
  "name": "Multi-Factor Authentication for System Access",
  "description": "Logical access to systems, data, and applications is protected by requiring multi-factor authentication for all user accounts with access to sensitive or production environments.",
  "domain": "Logical Access Controls",
  "frameworks": [
    {
      "frameworkId": "SOC2",
      "controlReference": "CC6.1",
      "requirementText": "The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives."
    },
    {
      "frameworkId": "ISO27001",
      "controlReference": "A.9.4.2",
      "requirementText": "Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure."
    },
    {
      "frameworkId": "HIPAA",
      "controlReference": "164.312(d)",
      "requirementText": "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
    }
  ],
  "implementationGuidance": "Enable MFA for all user accounts. Use TOTP authenticator apps, hardware security keys, or SMS (as a last resort). Enforce MFA at the identity provider level. Document exceptions with compensating controls.",
  "evidenceTypes": [
    "Screenshot of MFA enforcement settings in identity provider",
    "API export from identity provider showing MFA enrollment rates",
    "Policy document defining MFA requirements",
    "Access control log showing MFA challenges"
  ],
  "automatable": true,
  "status": "Implemented",
  "owner": "Security Engineering",
  "tags": ["Access Control", "Authentication", "Identity", "MFA"]
}