CMMC MA.L2-3.7.5: Nonlocal Maintenance Control Requirements
Nonlocal maintenance sessions create significant security risks when vendors and contractors access your systems remotely. CMMC Level 2 control MA.L2-3.7.5 requires multi-factor authentication for all external maintenance connections and automatic session termination to minimize exposure. This control ensures your organization maintains visibility and control over who accesses critical systems from outside your network.
What this means
This control mandates that any maintenance activity conducted from external locations (remote vendor support, cloud provider maintenance, contractor access) must require multi-factor authentication (MFA) to establish the connection. Additionally, organizations must implement automatic termination mechanisms that close nonlocal maintenance sessions immediately when work is complete or when a defined session timeout is reached. This two-pronged approach prevents unauthorized access through dormant sessions and ensures only authenticated personnel can perform remote maintenance.
How to comply
- 1.Inventory all systems and applications that allow nonlocal maintenance access, including vendor remote support tools, RDP connections, and cloud provider management consoles.
- 2.Implement MFA for all nonlocal maintenance session initiation points, requiring at minimum possession factor (token, phone) plus knowledge factor (password).
- 3.Configure automatic session termination based on inactivity timeout (recommended 15-30 minutes) for all nonlocal maintenance connections.
- 4.Establish a formal process requiring maintenance sessions to be explicitly closed by the technician upon work completion, with system confirmation of termination.
- 5.Document all nonlocal maintenance access points, MFA implementations, and session termination policies in your security procedures.
- 6.Conduct quarterly audits of nonlocal maintenance sessions to verify MFA was used and sessions were properly terminated.
- 7.Train all personnel involved in nonlocal maintenance on MFA requirements and session closure procedures.
Evidence auditors look for
- Screenshots or logs showing MFA prompts required before nonlocal maintenance access is granted
- System configuration settings displaying automatic session timeout values and termination policies
- Nonlocal maintenance access inventory documenting each connection point and its MFA implementation status
- Session logs with timestamps showing termination of nonlocal maintenance connections
- Vendor management agreements requiring MFA and session termination compliance
- Documented procedures for managing nonlocal maintenance sessions and access revocation
- Audit reports confirming MFA usage and proper session termination across nonlocal maintenance activities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates MFA policy enforcement for nonlocal maintenance connections and tracks session termination logs automatically, eliminating manual verification work and providing audit-ready evidence for CMMC assessments.
See how GRCWatch handles this control automatically
Start free trial