Nonlocal maintenance — vendor or remote administrative access to systems that store, process, or transmit Controlled Unclassified Information (CUI) — is a high-risk activity that CMMC 2.0 Level 2 and NIST SP 800-171 Rev.2 address with MA.L2-3.7.5; this guide explains how a small or mid-sized business can implement practical, auditable multi-factor authentication (MFA) controls to meet the requirement while minimizing operational friction.
What MA.L2-3.7.5 requires (practical interpretation)
MA.L2-3.7.5 expects organizations to enforce stronger authentication for nonlocal maintenance paths so that remote maintenance sessions are authenticated with more than just a password. In practice for a Compliance Framework implementation, that means documenting the control in your System Security Plan (SSP), configuring MFA on all remote-administration vectors (VPNs, RDP/Terminal Services, SSH, management portals), and proving enforcement through logs, test evidence, and a procedure for exceptions and emergency access.
Step-by-step implementation
1) Inventory remote maintenance paths and stakeholders
Start by cataloging every nonlocal maintenance method: vendor remote support (TeamViewer/AnyDesk), vendor-specific portals, administrative RDP/SSH, VPNs, cloud console accounts, on-prem management appliances (firewalls, switches), and any third-party managed services. For each entry record the user population (employees, vendors), systems affected, and whether CUI could be accessed during a session. This inventory becomes the baseline for policy scoping in your SSP and POA&M.
2) Select MFA technologies and identity integration
Choose MFA solutions that integrate with your identity provider (IdP) and the target access method: SAML/OIDC for web consoles (Okta, Azure AD), RADIUS/TACACS+ for VPN appliances (Duo, SecureAuth, Cisco ISE), and certificate or FIDO2-based authentication for SSH and privileged access. Avoid SMS-only OTP as your primary factor; prefer time-based OTP (TOTP) apps, push notifications, FIDO2/WebAuthn hardware tokens (YubiKey), or smart cards (PIV/CAC) where possible. Document the chosen factors and vendor rationale in the SSP.
3) Enforce MFA on the network and host layers
Technical enforcement examples: configure your VPN appliance (e.g., Palo Alto GlobalProtect, FortiGate, Cisco ASA) to require RADIUS authentication against an MFA-aware server; deploy Azure AD Conditional Access requiring MFA for administrative roles; protect RDP by funneling sessions through an RD Gateway or a jump host that requires MFA (Azure MFA NPS extension or Duo for Windows Logon); on Linux, configure sshd with publickey + keyboard-interactive (pam) to chain public-key and TOTP or U2F. For third-party remote support tools, mandate the vendor enable and present MFA before remote control is granted, and block non-MFA sessions via firewall/NAC rules.
Technical details and logging
Implement session hardening: use a bastion/jump host with strict session recording and limited routing, employ privileged access management (PAM) or vaulting (CyberArk, BeyondTrust, HashiCorp Vault) to avoid exposing long-lived credentials, and require short-lived credentials or just-in-time access tokens where possible. Configure systems to log authentication success/failure, factor used, and source IP; forward logs to a central SIEM or log collector (via syslog/TLS) with retention aligned to contract requirements and your POA&M (commonly 90–365 days depending on risk and contract language). Include time-sync (NTP) validation for TOTP reliability and enforce strong cryptographic settings (e.g., FIPS-compliant algorithms if your environment demands it).
Small business scenarios and real-world examples
Example 1: A small manufacturing firm contracts an HVAC vendor for PLC updates. Solution: create a vendor account in the firm's Azure AD, assign it to a restricted maintenance group, require Azure MFA (push + hardware token for the vendor), and restrict source IPs to the vendor gateway with conditional access; maintain recorded session logs and a signed maintenance ticket that contains scope and time window. Example 2: An MSP performs remote maintenance for multiple clients. Solution: require the MSP to use a managed bastion service with MFA, implement per-client segmentation, and require the MSP to supply MFA logs and session recordings as part of service-level agreements; require the MSP to rotate privileged credentials between jobs.
Compliance tips, exception handling, and risks of not implementing
Document everything: the SSP must list the MFA control, architecture diagrams, and how the control is tested. Create a POA&M entry for any phased rollout and an exception process that requires risk acceptance and time-limited approvals. For emergency "break-glass" access, issue one-off hardware tokens stored in a tamper-evident safe with a supervised checkout process and log the use. Failing to implement MFA for nonlocal maintenance exposes CUI to unauthorized access, lateral movement by attackers, supply-chain compromise, contract termination, and failing audits or winning/retaining federal work; real incidents often start with a compromised vendor account and escalate via unmanaged remote sessions.
Monitoring, testing, and continuous improvement
Operationalize ongoing validation: schedule quarterly tests that simulate vendor remote sessions and verify MFA enforcement, review failed-authentication patterns monthly in your SIEM, and update controls after every significant network or vendor change. Keep your vendor management program in sync: require proof of MFA for vendor personnel, include MFA requirements in contracts, and use attestations or periodic penetration tests to validate the configuration. Track control metrics (MFA adoption rate, number of exception approvals, average time to enforce) and include them in management review.
Summary: Implementing MA.L2-3.7.5 is a blend of policy, vendor management, and concrete technical controls — inventory remote maintenance paths, select MFA technologies that integrate with your IdP and access vectors, enforce MFA at network and host levels (VPNs, jump hosts, SSH, RDP), instrument logging and session recording, and document everything in your SSP and POA&M; these steps reduce the risk of unauthorized access to CUI, simplify audits, and make remote maintenance a controlled, auditable operation for small businesses pursuing NIST/CMMC compliance.
