CMMC Level 2
Control 3.7.5
Require MFA for Nonlocal Maintenance
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
What This Means in Plain English
When technicians perform remote maintenance on your systems, they must authenticate with MFA. When the maintenance work is done, the remote session must be terminated immediately rather than left open.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- MFA required for all remote maintenance sessions via Microsoft Entra Conditional Access
- FortiGate VPN requiring FortiToken MFA for all remote administrative connections
- Remote maintenance sessions monitored in real-time by the Arctic Wolf SOC
- Automatic session termination after 30 minutes of inactivity
- ComplianceArmor logging all remote maintenance sessions with start/end times and technician identity
Assessment Guidance
Assessors will verify that MFA is required for all remote maintenance access, test that sessions terminate after the defined inactivity period, check that remote maintenance sessions are logged, and confirm that session disconnect is enforced after maintenance completion.
Common Implementation Gaps
- Remote maintenance without MFA
- Persistent remote sessions left open after maintenance
- No session timeout for remote maintenance connections
- Remote maintenance sessions not logged or monitored
- Third-party vendor remote access without MFA or monitoring
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MA-4 |
| PCI DSS | Req 8.3 - Secure all non-console administrative access with MFA |
Need Help Implementing 3.7.5?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment