Skip to main content
NetStable
Level 2 MA.L2-3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control means that any time someone needs to perform maintenance on your systems from a remote location (nonlocal), they must use multifactor authentication (MFA) to verify their identity. MFA requires two or more forms of verification, like a password and a code sent to a mobile device. This ensures that even if someone steals a password, they can't access your systems without the second factor. For example, if a vendor needs to update software on your server from their office, they must use MFA to log in. Similarly, if your IT team accesses systems remotely, they must also use MFA. This adds an extra layer of security to prevent unauthorized access.

🎯 Why It Matters

Nonlocal maintenance sessions are a common target for cyberattacks because they often provide direct access to critical systems. Without MFA, attackers can exploit stolen credentials to gain unauthorized access, potentially leading to data breaches, system disruptions, or malware installation. For instance, the 2021 Colonial Pipeline attack was facilitated by compromised credentials. The DoD emphasizes this control to protect Controlled Unclassified Information (CUI) and ensure that only authorized personnel can perform maintenance. The potential impact includes financial losses, reputational damage, and operational downtime, making MFA essential for securing remote access.

How to Implement

  1. Enable MFA for all administrative accounts in your cloud provider's IAM (Identity and Access Management) console.
  2. Configure conditional access policies to enforce MFA for remote maintenance sessions.
  3. Use Azure MFA or AWS IAM MFA for cloud-based systems.
  4. Ensure MFA is required for VPN or remote desktop access to cloud resources.
  5. Regularly audit MFA configurations to ensure compliance.
⏱️
Estimated Effort
Implementation typically takes 1-3 days, depending on system complexity. Requires intermediate IT skills.

📋 Evidence Examples

MFA Policy Document

Format: PDF
Frequency: Annually or when updated.
Contents: Policy requiring MFA for nonlocal maintenance sessions, approved by management.
Collection: Export from document management system.

MFA Configuration Screenshot

Format: PNG
Frequency: After initial setup and changes.
Contents: Screenshot showing MFA enabled for remote access protocols.
Collection: Capture from system settings.

MFA Logs

Format: CSV
Frequency: Monthly.
Contents: Logs showing MFA usage during nonlocal maintenance sessions.
Collection: Export from MFA solution.

Testing Results

Format: Word Document
Frequency: Quarterly.
Contents: Documentation of MFA testing for remote access.
Collection: Record test results manually.

Training Records

Format: Excel
Frequency: After training sessions.
Contents: List of staff trained on MFA procedures.
Collection: Export from LMS (Learning Management System).

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MA.L2-3.7.5 ("Require multifactor authentication to establish nonlocal maintenance sessions"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MA.L2-3.7.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to require multifactor authentication to establish nonlocal maintenance sessions. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MA.L2-3.7.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to require multifactor authentication to establish nonlocal maintenance sessions. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MA.L2-3.7.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify systems within the CUI boundary requiring maintenance
  • Document maintenance windows and change control process
  • Specify remote maintenance tools and access controls
  • Ensure this control covers all systems within your defined CUI boundary where require multifactor authentication to establish nonlocal maintenance sessions applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Maintenance Policy
  • 📄 Change management records
  • 📄 Approved maintenance tool inventory
  • 📄 Remote maintenance session logs
  • 📄 Evidence artifacts specific to MA.L2-3.7.5
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Have you enabled MFA for all administrative accounts?

✅ YES → Proceed to Q2.
❌ NO → GAP: Enable MFA for administrative accounts immediately.
Remediation:
Use your MFA solution to configure this within 1 day.

Question 2: Is MFA enforced for nonlocal maintenance sessions?

✅ YES → Proceed to Q3.
❌ NO → GAP: Configure MFA for remote access protocols like RDP or SSH.
Remediation:
Complete within 2 days.

Question 3: Are MFA logs regularly reviewed?

✅ YES → Proceed to Q4.
❌ NO → GAP: Set up a process to review MFA logs monthly.
Remediation:
Implement log review process within 1 week.

Question 4: Have staff been trained on MFA procedures?

✅ YES → Proceed to Q5.
❌ NO → GAP: Schedule MFA training for relevant staff.
Remediation:
Complete training within 2 weeks.

Question 5: Is there a documented MFA policy?

✅ YES → Compliance confirmed.
❌ NO → GAP: Draft and approve an MFA policy.
Remediation:
Complete within 1 week.

⚠️ Common Mistakes (What Auditors Flag)

1. Not enabling MFA for all remote access protocols.

Why this happens: Focusing only on primary login methods like VPN.
How to avoid: Ensure MFA is configured for all protocols (SSH, RDP, etc.).

2. Failing to review MFA logs.

Why this happens: Assuming MFA is working without verification.
How to avoid: Set up a monthly log review process.

3. Not training staff on MFA usage.

Why this happens: Assuming IT staff already know how to use MFA.
How to avoid: Provide training for all relevant personnel.

4. Missing MFA policy documentation.

Why this happens: Focusing on technical implementation over documentation.
How to avoid: Draft and approve an MFA policy.

5. Not enforcing MFA for vendor access.

Why this happens: Assuming vendors have their own security measures.
How to avoid: Require MFA for all vendor maintenance sessions.

📚 Parent Policy

This practice is governed by the Maintenance Policy

View MA Policy →

📚 Related Controls

AC.L2-3.1.1 - Limit system access to authorized users. AC.L2-3.1.2 - Control the flow of CUI in accordance with approved authorizations. IA.L2-3.5.3 - Use multifactor authentication for local and network access.
Previous
MA.L2-3.7.4
Back to MA
Next
MA.L2-3.7.6