Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.5 – Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Understanding the Requirement
This NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 control requires that any remote maintenance session initiated over an external network must use multifactor authentication (MFA) and that those sessions are explicitly ended when maintenance is finished. In practice this reduces the elevated risk from privileged remote logins by ensuring the person connecting proves identity with multiple factors and by preventing idle or forgotten sessions from remaining open after work is complete.
Technical Implementation
-
Enforce MFA on remote access gateways:
Configure your VPN, remote desktop gateway, or cloud bastion (jump host) to require MFA for all accounts with maintenance privileges. Use time-based one-time passwords (TOTP), push notifications, hardware tokens, or FIDO2 keys—whichever integrates with your existing systems—to ensure a second factor is required before a session is established.
-
Use a privileged access management (PAM) or jump host:
Route nonlocal maintenance through a centrally managed bastion or PAM broker that enforces MFA, records sessions, and brokers credentials so administrators do not log in directly to target systems. This minimizes credential exposure and provides an audit trail for session start/stop times.
-
Automatic session termination and idle timeouts:
Set explicit session time limits and aggressive idle timeouts on remote maintenance conduits. Implement automated disconnection policies (e.g., terminate after a short idle period or at the end of a scheduled maintenance window) and require re-authentication for any reconnection.
-
Ticketing and approval for nonlocal maintenance:
Require a documented change or maintenance ticket that includes the purpose, approver, scheduled start/end times, and the account to be used. Tie access provisioning to ticket approval and automatically revoke or disable remote access when the ticket is closed.
-
Logging, monitoring, and verification:
Log MFA events, connection start/stop times, and session recordings (where feasible). Monitor for unusual patterns—such as after-hours maintenance or unusually long sessions—and implement alerts that trigger review if sessions aren’t closed properly.
-
Vendor and third-party controls:
For external maintenance vendors, require one-time, time-limited access that is brokered through your PAM or jump host and protected by MFA; avoid shared or standing vendor accounts. Ensure contracts mandate session termination and provide access logs for verification.
Example in a Small or Medium Business
Acme Widgets is a 60-person SMB that hosts a handful of internal servers and a file server in a co-lo and cloud instances for key applications. When their senior system administrator, Alice, needs to perform maintenance from home she opens her company VPN client and is prompted for her password plus a push notification to a mobile authenticator app—MFA is required for all accounts in the admin group. All maintenance sessions are performed through a centrally managed jump host that brokers the connection, records the session, and enforces MFA so Alice never connects directly to target servers with raw credentials. Before her work begins Alice opens a maintenance ticket that lists the systems, start time, and expected end time; the ticket approval process automatically grants temporary access and ties session logs to the ticket. When Alice finishes, she closes the ticket and the jump host automatically terminates the session; the system also enforces a 10-minute idle timeout to catch any forgotten connections. The IT manager reviews the session logs weekly to verify sessions started and stopped as expected and flags any deviations for follow-up. External vendors follow the same process and are given one-time access that expires when the ticket closes.
Summary
Requiring MFA for nonlocal maintenance and ensuring sessions are terminated combines administrative controls (ticketing, approvals, vendor requirements) with technical controls (MFA enforcement, PAM/jump hosts, session timeouts, and logging) to reduce risk from privileged remote access. For SMBs, implementing MFA on existing VPN or remote access tools, centralizing remote maintenance through a brokered host, and automating session termination provide a practical, cost-effective path to meeting the control while keeping audit trails and minimizing credential exposure.
