CMMC Practice MA.2.113: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two things to prove who the user says he is. One thing can be something you have, such as a device that generates a one-time passcode. Another thing can be something you know, for example, a password or passphrase. Or, another thing can be something specific to you, such as a fingerprint. Requiring two or more things to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections. After nonlocal maintenance activities are complete, shut down the external network connection.