MA.L2-3.7.5 — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

What this control requires

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Source: CMMC L2 v2.13 MA.L2-3.7.5 / NIST SP 800-171 R2 3.7.5 (official control text).

Why this matters

Remote maintenance creates a privileged attack vector. When administrators, vendors, or IT support connect from outside the network to manage systems, they bypass physical security controls and often have elevated access. Without multifactor authentication, a stolen password becomes a direct route to system control. This requirement enforces that external maintenance sessions—whether through VPN, remote desktop, SSH, or vendor portals—must verify identity through something you know AND something you have. Terminating sessions promptly prevents abandoned connections from becoming unmonitored backdoors. This control protects against credential theft, vendor account compromise, and nation-state lateral movement that often exploits weak remote access.

What evidence assessors expect

Assessors typically look for: screenshot, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls