This post explains how to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MA.L2-3.7.5 by hardening third‑party vendor access using multifactor authentication (MFA), session controls (timeouts, session lifetimes, and monitoring), and operational practices that a small business can implement without enterprise overhead.
What MA.L2-3.7.5 expects and the Compliance Framework perspective
MA.L2-3.7.5 targets secure maintenance and remote access activities by external parties: the Compliance Framework practice requires enforcing strong authentication, time-limited sessions, least-privileged access, logging, and an auditable process for vendor maintenance. For small businesses handling CUI, this means you must not rely on shared accounts, SMS-only MFA, or unmonitored remote desktop/VPN sessions — you must prove access was authorized, time-bounded, and logged.
Practical MFA and session-control implementation steps
Start by implementing per-user vendor accounts (no shared credentials) and enforce MFA for any account that accesses systems containing CUI. Prefer phishing-resistant MFA (FIDO2 hardware keys like YubiKey, or platform authenticators) or push + TOTP from trusted authenticators as a fallback; explicitly ban SMS for primary MFA due to its risks. Integrate MFA with your identity provider (IdP) — Azure AD, Okta, Google Workspace, or a PAM solution — and require MFA at the IdP level so every protocol (RDP, SSH, web portal) benefits without bespoke configuration.
Apply session controls that limit both idle time and maximum session duration. Recommended practical values for CUI maintenance: idle timeout of 10–15 minutes, absolute session maximum of 1–4 hours for maintenance windows, and single sign-on token refresh intervals of no longer than 8 hours for high-risk roles. Implement Just‑In‑Time (JIT) access for privileged vendor tasks using PAM or an approval workflow — e.g., request → approve → auto-provision temporary account/role that expires automatically.
Cloud and platform-specific technical patterns
For Azure: use Azure AD Conditional Access to require MFA + compliant device + named location restrictions for vendor sign-in, set Session controls (Sign-in frequency = 1 hour, persistent browser session = Never), and utilize Azure Bastion or Azure Privileged Identity Management (PIM) for JIT elevation. For AWS: use AWS SSO/IAM Identity Center with permission sets, create roles that vendors assume via STS with session duration limited to 1 hour, and prefer Systems Manager Session Manager for remote shell access (it records session output and does not require opening SSH ports). For GCP: use Access Context Manager, short‑lived OAuth tokens, and Identity-Aware Proxy (IAP) for web/ssh access to avoid exposing services directly to the internet.
On-prem or hybrid setups and hardening examples
On-premise servers: deploy a bastion or jump host that requires MFA at the entry point, then proxy all RDP/SSH through it. Use SSH certificates (short-lived) instead of static keys — tools like Vault or Smallstep can issue time-limited certs automatically. For Windows remoting, force RDP over VPN or Require RD Gateway with MFA and enable Network Level Authentication; capture session recordings for privileged maintenance using session recording tools. For small offices, a hardened jump VM with Azure AD or Okta SSO + MFA and session logging forwarded to a central syslog or a lightweight SIEM gives strong protection without heavy investment.
Small business scenario — step-by-step
Example: a 30-person subcontractor needs a vendor to patch a CUI-handling application on a cloud VM. Steps: 1) Open a ticket describing the maintenance scope and attach the vendor's SoW and account name. 2) Create a unique vendor account in your IdP with least privilege for only the target VM. 3) Require vendor to register a FIDO2 token or to use Okta Verify + push. 4) Approve JIT access that automatically maps a temporary IAM role for 90 minutes. 5) Route access through a bastion which records the session and forwards logs to CloudTrail/Log Analytics. 6) Close the ticket — role auto-expires and you run an access review and check logs within 24–48 hours to confirm no anomalous activity. This flow meets the practice goals: authenticated, time-limited, least-privilege, and audited.
Compliance tips and best practices
Practical compliance tips: (1) Include MFA and session requirements in vendor contracts and SLAs and require proof of your MFA standard (e.g., FIDO2 or equivalent). (2) Implement an access request/approval workflow with time limits and automated revocation. (3) Log all authentication and session activity (IdP logs, CloudTrail, Sysmon/Windows Event logs) and retain for the period required by contract — typically 1–3 years for audits. (4) Conduct regular access reviews and rotate vendor account naming and permissions after each engagement. (5) Use automation: IaC or scripts that create time-limited roles so manual errors are reduced.
Risks of not implementing MA.L2-3.7.5 controls
Without MFA + session controls, third-party vendor access becomes a high-risk attack vector: stolen or shared credentials enable lateral movement, long-lived sessions allow prolonged exfiltration, and lack of logs makes incident response and attribution difficult. For small businesses this can mean loss of CUI, contract termination, regulatory penalties, and reputational harm. Supply-chain compromises (like access via a vendor with weak controls) have caused multiple large breaches — the same risk applies to smaller organizations that lack hardened controls.
Summary: Implement per-user vendor accounts, enforce phishing-resistant MFA, apply strict session timeouts and JIT provisioning for privileged tasks, route vendor access through bastions or IdP-backed gateways, and keep centralized logging and automated revocation. These practical controls satisfy MA.L2-3.7.5 objectives in the Compliance Framework: they reduce risk, create auditable evidence, and are achievable for small businesses with cloud-native features and lightweight PAM/IdP tooling.
