Updated: 18 May 2026
CERT-In's Comprehensive Cyber Security Audit Policy Guidelines, reference CISG-2025-02, effective 25 July 2025, require MFA for all remote access connections across all Indian organisations operating digital systems. The requirement applies to private sector organisations, not only government entities or designated critical infrastructure operators.
The CERT-In MFA requirement has four specific components.
Scope. MFA is required for every remote access connection. This includes VPN sessions, remote desktop connections, third-party vendor access, and cloud application access from outside the corporate network. The requirement does not specify a minimum user population. It covers all remote access.
Individual accountability. Shared accounts do not satisfy the requirement. Every access event must be attributable to a named individual. Shared credentials fail this standard regardless of whether MFA is deployed on top of them.
Log retention. Authentication logs must be retained for 180 days. The logs must be stored in India. They must be available for export during the audit window. Passive storage in a cloud platform without confirmed India residency does not satisfy the requirement.
Annual audit. CERT-In mandates annual cybersecurity audits for all covered organisations. Auditors examine whether MFA is enforced in practice, not merely whether an MFA policy document exists. They ask for log evidence, not architecture diagrams.
The audit question is specific: can the organisation produce 180 days of individually attributed, timestamped authentication logs for remote access events on demand?
Organisations that cannot produce this evidence are non-compliant regardless of what their policy states.
Proactive Data Systems, a Cisco Preferred Security Partner under the Cisco 360 Partner Program, configures Cisco Duo deployments in Indian enterprise environments to satisfy all four CERT-In requirements from day one, including India-resident log storage and the bypass code register auditors request.
We'll get back to you shortly.
