Requirement text: MA.2.113: Require multifactor authentication to establish nonlocal maintenance
sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals
communicating through an external network. The authentication techniques employed in
the establishment of these nonlocal maintenance and diagnostic sessions reflect the network
access requirements in IA.3.083.
CMMC CLARIFICATION
Nonlocal maintenance activities must use multifactor authentication. Multifactor
authentication requires at least two things to prove who the user says he is. One thing can
be something you have, such as a device that generates a one-time passcode. Another thing
can be something you know, for example, a password or passphrase. Or, another thing can
be something specific to you, such as a fingerprint. Requiring two or more things to prove
your identity increases the security of the connection. Nonlocal maintenance activities are
activities conducted from external network connections. After nonlocal maintenance
activities are complete, shut down the external network connection.
Example
You are in charge of conducting maintenance for your organization. You are an employee
working remotely. You establish a remote connection to the company’s network using the
company’s VPN solution. When you log on to the remote connection, you must provide a
one-time passcode and a token generated by a token device. You need both of these things
to prove your identity. After you enter your password and passcode, you have access to the
maintenance remote connection. When you finish your activities, you shut down the remote
connection.
References
• NIST SP 800-171 Rev 1 3.7.5
• NIST CSF v1.1 PR.MA-2
• CERT RMM v1.2 TM:SG4.SP1
• NIST SP 800-53 Rev 4 MA-4