MA.2.113

Control Acronym

MA

Family

Maintenance

CMMC Level

2

800-171 Control #

3.7.5

CMMC Description

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

CMMC Clarification

Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two things to prove who the user says he is. One thing can be something you have, such as a device that generates a one-time passcode. Another thing can be something you know, for example, a password or passphrase. Or, another thing can be something specific to you, such as a fingerprint. Requiring two or more things to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections. After nonlocal maintenance activities are complete, shut down the external network connection. Example You are in charge of conducting maintenance for your organization. You are an employee working remotely. You establish a remote connection to the company’s network using the company’s VPN solution. When you log on to the remote connection, you must provide a one-time passcode and a token generated by a token device. You need both of these things to prove your identity. After you enter your password and passcode, you have access to the maintenance remote connection. When you finish your activities, you shut down the remote connection.

800-171 Description

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

800-171 Discussion

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MA-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.7.5

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.MA-2

CERT RMM Reference

CERT RMM v1.2 TM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MA.2.113.[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and

Assessment Sub-Criteria 2

MA.2.113.[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15