S8. Require MFA for administrators

User accounts with privileges that allow the creation (or destruction) of resources should require multi-factor authentication to help mitigate business risks associated with password compromise.