MA.L2-3.7.5 · NIST SP 800-171 3.7.5

Nonlocal Maintenance

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

MA.L2-3.7.5 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.multifactor authentication is used to establish nonlocal maintenance sessions via external network connections
  • b.nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.5, an assessor uses these:

Examine

System maintenance policy; procedures addressing nonlocal system maintenance; system security plan; system design documentation; system configuration settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records

Interview

Personnel with system maintenance responsibilities; personnel with information security responsibilities; system or network administrators

Test

Organizational processes for managing nonlocal maintenance; mechanisms implementing, supporting, and managing nonlocal maintenance; mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating nonlocal maintenance sessions and network connections

What it means, in context

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA.L2-3.5.3.

Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two factors, such as: • something you know (e.g., password, personal identification number [PIN]); • something you have (e.g., cryptographic identification device, token); or • something you are (e.g., biometric fingerprint or facial scan). Requiring two o r more factors to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections such as over the internet. After nonlocal maintenance activities are complete, shut down the external network connection. This requirement, MA.L2-3.7.5 specifies the addition of multifactor authentication for remote maintenance sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3): • AC.L2-3.1.12 requires the control of remote access sessions. • AC.L2-3.1.14 limits remote access to specific access control points. • AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions. • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session. • Finally, IA.L2-3.5.3 requires multifactor authentication for network access to non- privileged accounts. Example You are responsible for maintaining your company ’s firewall. In order to conduct maintenance while working remotely, you connect to the firewall ’s management interface and log in using administrator credentials. The firewall then sends a verification request to the multifactor authentication app on your smartphone [a]. You need both of these things to prove your identity [a]. After you respond to the multifactor challenge, you have access to the maintenance interface. When you finish your activities, you shut down the remote connection by logging out and quitting your web browser [b]. Potential Assessment Considerations • Is multifactor authentication required prior to maintenance of a system when connecting remotely from outside the system boundary [a]? • Are personnel required to manually terminate remote maintenance sessions established via external network connections when maintenance is complete, or are connections terminated automatically through system session management mechanisms [b]?

What passing evidence looks like

MFA on nonlocal (remote) maintenance sessions and proof sessions end when the work ends: the remote tool's MFA setting and session termination behavior.

Common ways contractors fail MA.L2-3.7.5

  • !This is the MSP question: their remote agent must authenticate with MFA and sessions must terminate. Ask your MSP for their tool's MFA policy screenshot, it is their control but your requirement.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove MA.L2-3.7.5, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

MA.L2-3.7.5 questions, answered

How many points is CMMC requirement MA.L2-3.7.5 worth?+

MA.L2-3.7.5 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can MA.L2-3.7.5 be placed on a POA&M?+

No. MA.L2-3.7.5 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does MA.L2-3.7.5 belong to?+

MA.L2-3.7.5 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.7.5