The STIG requires multifactor access for all privleged accounts; it mentions using two government approved mechanisms (one is CAC) as examples. It's possible that we could also set it up to use commercially available tokens which would only allow access to our systems and the fact that it appears difficult to come by CAC cards. For the time being the two-factor stuff will need to be left unimplemented so NRAO can administer the systems.