3.7.5 — MFA for Remote Maintenance

The One-Liner

A remote maintenance session without MFA is an open door. Leaving it connected afterward is leaving the door open.

What It Says

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

What It Actually Means

Two requirements:

1. MFA required. Any remote maintenance session on CUI systems must use multifactor authentication — something you know (password) plus something you have (authenticator app, hardware token) or something you are (biometric). This applies to internal staff connecting remotely and to vendor remote support.

2. Sessions terminated when done. No persistent remote maintenance connections. When the work is complete, the session is disconnected. No “always-on” remote access tools left running. VPN sessions are closed, remote desktop sessions are terminated, vendor access is revoked.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is MFA used for remote maintenance sessions?	MFA configured on all remote access paths used for maintenance — VPN, RDP, vendor tools
2	Are sessions terminated when maintenance is complete?	Session logs showing start and end times; no persistent maintenance connections

---

What to Have Ready on Assessment Day

Documents they’ll review: Maintenance policy; procedures for remote maintenance; system configuration showing MFA on remote access; session logs; system security plan

People they’ll talk to: Maintenance personnel; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me MFA on your remote maintenance access.” “Show me a session log — does it show start and end times?” “How do you terminate vendor remote access when work is done?”

---

The Assessor’s Playbook

• “Is MFA required for remote maintenance? Show me the configuration.”
• “How do you ensure sessions are terminated when work is done?”
• “How do you handle vendor remote access — TeamViewer, AnyDesk, VPN?”
• “Are remote maintenance sessions logged with start and end times?”

Real-World Example

A defense contractor requires all remote maintenance through the corporate VPN with Entra ID MFA. Sysadmins connect via VPN, authenticate with password + Microsoft Authenticator, and access CUI systems through a jump host. When work is complete, the VPN session is disconnected manually and the session is logged. For vendor remote support, a temporary VPN account with MFA is created, active for a maximum of 8 hours, and automatically disabled at expiration. The vendor’s session is monitored by an IT staff member. No persistent remote access tools (TeamViewer, AnyDesk) are permitted on CUI systems.

---

Where Companies Trip Up

No MFA on remote tools. Vendor uses TeamViewer with just a password. All remote maintenance access must require MFA.

Persistent connections. VPN stays connected 24/7 or a remote access tool is always running. Terminate sessions when work is done.

Vendor controls access. The vendor decides when to connect — not you. You must control vendor remote access: time-limited credentials, MFA, and monitored sessions.

---

How to Talk About This

To a CEO or Board

All remote maintenance requires MFA and is disconnected when complete. Vendor access is time-limited, monitored, and we control when they connect.

To an Engineering Team

Remote maintenance via VPN + MFA only. Jump host for CUI system access. Session logging with start/end times. Vendor: temporary accounts, 8-hour max, MFA required, session monitored. No persistent remote access tools on CUI systems.

---

Connected Requirements

Requirement	Why it matters here
3.5.3 — MFA for All	MFA requirement applied specifically to remote maintenance
3.7.6 — Escort Uncleared Techs	Vendor personnel supervision applies to remote sessions too
3.1.12 — Monitor Remote Sessions	Remote maintenance sessions must be monitored and controlled

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: MA.L2-3.7.5 | SPRS Weight: 5 points | POA&M Eligible: No