Maintenance 3.7.5 (3.7.5)
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Get Full GuidanceWhat Is This CMMC Control?
This control requires organizations to use multifactor authentication (MFA) when technicians or administrators connect remotely from outside the organization's network to perform maintenance or troubleshooting on systems. Once the remote maintenance work is finished, those external connections must be properly closed. This prevents unauthorized individuals from gaining access to systems by impersonating legitimate maintenance personnel or hijacking maintenance sessions.
Control Intent
To ensure that remote maintenance sessions initiated from external networks are authenticated using multiple factors and properly terminated, preventing unauthorized access to organizational systems during maintenance activities.
Who This Control Applies To
- •Systems that allow remote maintenance or diagnostic access from external networks
- •Administrative interfaces accessible from outside the organizational network
- •Third-party vendor remote access connections for system maintenance
- •Help desk or IT support tools that enable remote system access
- •Cloud-based systems with remote administrative consoles
- •Network devices with remote management capabilities
- •Servers with remote desktop or SSH access from external networks
Not Applicable When
- •Maintenance is performed exclusively through physical console access on-site
- •All maintenance activities occur only from within the internal trusted network with no external network traversal
- •Systems are completely air-gapped with no network connectivity
- •Maintenance is performed only through out-of-band management networks that do not traverse external networks
Key Objectives
- 1Verify the identity of individuals performing nonlocal maintenance through multifactor authentication before granting access
- 2Prevent unauthorized access to systems during remote maintenance sessions by requiring strong authentication
- 3Ensure nonlocal maintenance sessions are properly terminated when maintenance activities are complete to prevent session hijacking or unauthorized continued access
Sample Self-Assessment Questions (Partial)
Do any of your IT staff, managed service providers, or vendors connect remotely from outside your network to maintain or troubleshoot your systems?
What tools or methods do technicians use to remotely access systems for maintenance (examples: remote desktop, VPN, SSH, vendor portals)?
Implementation Approaches (High-Level)
VPN with MFA Plus Session Management
Remote maintenance access requires connection through a VPN that enforces MFA at connection time, with additional session management controls to ensure termination.
Privileged Access Management (PAM) Solution
A centralized PAM system brokers all remote maintenance sessions, enforcing MFA at session initiation and controlling session lifecycle including termination.
Jump Host with MFA and Session Controls
Remote maintenance access is routed through a hardened jump host or bastion server that enforces MFA and manages session termination.
Cloud Provider IAM with MFA and Session Policies
For cloud-based systems, native cloud provider IAM enforces MFA for administrative access and session policies control session duration and termination.
Third-Party Vendor Remote Access Portal with MFA
A dedicated remote access solution for third-party vendors that enforces MFA and provides session management and termination controls.
Per-System MFA with Manual Session Termination Procedures
MFA is configured on individual systems that allow remote maintenance, with documented procedures for session termination.
Evidence & Assessment Notes
Expected Evidence
Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.
Plan of Action & Milestones (POA&M)
If MFA cannot be immediately implemented for all nonlocal maintenance access, prioritize systems with the highest risk or those processing the most sensitive CUI Document specific systems or access paths that lack MFA and provide a timeline for implementation (typically 30-180 days depending on complexity) Implement compensating controls such as enhanced monitoring, restricted access windows, or additional approval requirements until MFA is fully deployed For legacy systems that cannot support MFA, document technical limitations and implement alternative controls such as jump hosts with MFA or network segmentation If session termination is manual rather than automated, document the procedures and implement regular audit reviews until automated controls can be deployed Address third-party vendor access separately in the POA&M if vendor tools or processes do not support organizational MFA requirements Include specific milestones such as MFA solution selection, procurement, pilot deployment, and full rollout Document any emergency or break-glass access procedures that may bypass MFA and the controls in place to manage that risk Plan for user training and procedure updates as part of the remediation timeline Consider phased implementation starting with the most critical systems or highest-risk access paths
Frequently Asked Questions
Does this control apply to remote access by regular employees working from home, or only to maintenance activities?
This control specifically applies to nonlocal maintenance and diagnostic activities, not general remote user access. Regular employee remote access is covered by AC.L2-3.5.3. However, if an employee is performing system maintenance or administrative tasks remotely from an external network, those sessions would fall under this control. The key distinction is the nature of the activity (maintenance/administration) rather than the identity of the person performing it.
If our VPN already requires MFA, does that satisfy this control for all maintenance sessions through the VPN?
VPN MFA is a strong foundation but may not fully satisfy this control depending on implementation. The control requires MFA to establish the nonlocal maintenance session itself. If the VPN MFA is the authentication mechanism that directly controls access to maintenance sessions and sessions are properly terminated when VPN disconnects, this can satisfy the control. However, if users can establish persistent maintenance sessions that outlive the VPN connection or if the VPN MFA is not directly tied to maintenance session establishment, additional controls may be needed.
What counts as proper session termination - does the user just need to log out, or is automatic termination required?
The control requires that sessions be terminated when maintenance is complete, but does not mandate a specific technical mechanism. Acceptable approaches include user-initiated logout, automatic timeout after idle period, maximum session duration limits, or administrative termination. The key is that sessions do not remain open indefinitely and that termination is verifiable through logging. Organizations should implement the most reliable termination method available for their environment, with automatic technical controls preferred over purely manual procedures.
Do we need MFA for every individual system access during a maintenance session, or just once at the beginning?
The control requires MFA to establish the nonlocal maintenance session via external network connection. This typically means MFA is required at the initial connection point (VPN, jump host, PAM system, etc.). Once authenticated through MFA and connected to the internal environment, additional MFA for each individual system access is not required by this control, though it may be required by other controls or organizational policy. The critical requirement is that the external network connection used for maintenance is protected by MFA.
How do we handle emergency maintenance situations where MFA might delay critical repairs?
Emergency access is a common challenge, but this control does not provide an exception for emergencies. Organizations should implement emergency access procedures that still enforce MFA but streamline the process (such as pre-positioned hardware tokens, on-call MFA approval processes, or break-glass accounts with enhanced monitoring). Any emergency access that bypasses MFA must be documented as a control deficiency, subject to compensating controls, and included in a POA&M. The risk of delayed emergency response must be balanced against the risk of unauthorized access to CUI.
Are third-party vendors and managed service providers subject to this control when they remotely access our systems?
Yes, absolutely. Any nonlocal maintenance session via external network connection must use MFA regardless of whether it is performed by internal staff or external vendors. In fact, third-party access often presents higher risk and requires particular attention. Organizations must ensure vendor remote access tools and processes support MFA and session termination requirements, which should be addressed in vendor contracts and access agreements. This control works in conjunction with MA.L2-3.7.6 which specifically addresses maintenance personnel authorization and oversight.
How ConformatIQ Helps With CMMC Readiness
ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.
Ready to Get Full Guidance?
Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.
Request Full GuidanceInformation sourced from NIST SP 800-171 Rev. 2. See full disclaimer.