CMMC Practice MA.L2-3.7.5 – Nonlocal Maintenance: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This article highlights MFA and the necessity to implement to all privileged account access and users who access network resources. NIST resources that define requirements for nonlocal system maintenance activities Control objectives for the implementation of multi-factor authentication from NIST SP 800-53. This is State of North Carolina’s IT System Maintenance policy and provides an example of the roles, responsibilities and various components of maintenance supervision. This SANS whitepaper discusses the theory behind user-based two-factor (or multifactor) authentication systems, also known as “2FA”. How Multifactor Authentication Can Help U.S. Government Contractors Achieve DFARS Compliance. This example policy from the State of Alabama provides a starting point for system maintenance.
Discussion [NIST SP 800-171 R2]
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA.L2-3.5.3.
Further Discussion
Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two factors, such as:
- something you know (e.g., password, personal identification number [PIN]);
- something you have (e.g., cryptographic identification device, token); or
- something you are (e.g., biometric fingerprint or facial scan).
Requiring two or more factors to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections such as over the internet. After nonlocal maintenance activities are complete, shut down the external network connection.
This practice, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions and complements five other practices dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- Finally, IA.L2-3.5.3 requires multifactor authentication for network access to nonprivileged accounts.