Datawiza
Back to blog
January 10, 2026BlogIndustry

Implementing MFA for Saudi Aramco CCC: How Datawiza Helps You Meet SACS-002 MFA Controls—Fast

MFA for Saudi Aramco CCC

If you’re a vendor, contractor, or service provider working with Saudi Aramco, the Cybersecurity Compliance Certificate (CCC) program is a key requirement to demonstrate your cybersecurity posture. Saudi Aramco’s CCC program is tied to its Third Party Cybersecurity Standard (SACS-002), and it includes a defined process with an authorized audit firm and a two-year validity period.

One of the most common blockers for CCC readiness is multi-factor authentication (MFA)—especially when your environment includes legacy apps, custom portals, or external-facing systems that are difficult to modernize.

This article explains:

  • Which SACS-002 controls explicitly require MFA
  • What auditors typically expect as evidence
  • How Datawiza MFA can help you implement MFA quickly without upgrading/replacing your applications

First, what does Saudi Aramco CCC require from third parties?

Saudi Aramco’s CCC program is designed to ensure third parties comply with cybersecurity requirements in SACS-002. The CCC process includes selecting an authorized audit firm, completing an assessment package, and submitting the issued certificate/report through Aramco’s systems.

Aramco also emphasizes evidence quality: your assessment package should include supporting documents that are readable, time-stamped, and clearly tied to your environment (often highlighted in screenshots).

The MFA controls in SACS-002 you must address

SACS-002 includes multiple controls that require MFA, including (at minimum):

1) MFA for remote access — TPC-4

MFA must be enforced on all remote access, including Internet access, to your computing resources.

2) MFA for cloud services (including cloud email) — TPC-5

MFA must be enforced on all access to cloud services, explicitly including cloud-based email.

3) MFA for privileged accounts — TPC-37

MFA must be enforced on all privileged account access, including remote access to systems and applications.

4) MFA for specific cloud scenarios — TPC-44 / TPC-45

If applicable to your classification/scope:

  • MFA for Saudi Aramco users accessing a public cloud service hosting/storing Saudi Aramco Critical Data(TPC-44)
  • MFA for end-users accessing CMS of a cloud computing service (TPC-45)

What auditors look for: “show me the MFA”

Aramco’s guideline is very direct about evidence. For MFA controls, auditors commonly request:

  • Technical check evidence that MFA is in place
  • A clear screenshot of the authentication page
  • Relevant policies and procedures (remote access policy, cloud security policy, access control policy)

For privileged access (TPC-37), the guideline explicitly calls for evidence of the MFA page and configuration console.

Why MFA projects fail (and how Datawiza avoids the usual friction)

Most organizations aren’t lacking intent—they’re blocked by reality:

  • “Our portal is old. We can’t modify login safely.”
  • “We have multiple apps, each with different authentication.”
  • “We need something that works quickly for the audit.”
  • “We need evidence—screenshots and logs—not just a policy statement.”

Datawiza MFA is built for exactly this: enforcing MFA in front of your web applications—without changing application code.

How Datawiza MFA helps you meet CCC MFA requirements

Enforce MFA for remote access (TPC-4) without upgrading or replacing apps

Datawiza can enforce MFA at the access layer for remote users reaching your web applications (internal apps exposed externally, partner portals, supplier portals, etc.). This aligns well with the requirement to enforce MFA on remote access, and it produces the kind of evidence Aramco expects (authentication page + configuration + logs).

Centralize MFA across legacy & custom web apps

Instead of building MFA differently for each system, Datawiza provides a consistent, centralized approach across:

  • Oracle EBS (including iSupplier-style portals), PeopleSoft, JDE
  • SAP Portals
  • Custom partner/customer portals
  • Admin consoles and sensitive web apps

Protect privileged web access (TPC-37)

For privileged web-based consoles and admin routes, Datawiza can require MFA (including “always MFA for admins” or “step-up MFA for admin paths”). This maps cleanly to privileged account MFA expectations and supports the guideline’s requested evidence (MFA page + configuration console).

Support cloud access scenarios (TPC-44 / TPC-45) when web-based

If Aramco users access your cloud-hosted application via a web interface, Datawiza can enforce MFA for that access path and help produce the “clear authentication page evidence” called out in the guideline.

A CCC-friendly rollout plan (fast, low-risk)

Here’s a practical deployment approach designed around CCC evidence requirements:

  1. Define scope: which apps and access paths are in-scope for TPC-4/TPC-37 (remote users, admins, Aramco users, etc.)
  2. Deploy Datawiza in front of target web apps (no app code changes)
  3. Apply MFA policies: remote access MFA, admin MFA, sensitive app MFA
  4. Generate your evidence pack:
    • MFA authentication page screenshots
    • Config console screenshots (policy + app mapping)
    • Logs showing MFA enforcement (who/when/which app)
    • Policies & procedures (remote access, access control, cloud security)
  5. Engage your authorized audit firm and validate evidence format and completeness through their process.

The takeaway

Saudi Aramco CCC isn’t just about saying “we have MFA.” The standard and guideline emphasize where MFA must be enforced (remote access, cloud services, privileged access, certain cloud scenarios) and how you must prove it(technical checks, screenshots, and policies).

Datawiza MFA helps teams meet these requirements quickly—especially when legacy and custom web applications make traditional MFA rollouts slow, risky, or expensive.

Call to action

If you’re preparing for CCC and want a fast path to MFA evidence for your in-scope applications, book a demo here.

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza