Level 5 CMMC - CMMC Practices

MA.2.113  

Reference: CMMC 1.02

Family: MA

Level Introduced: 2

Practice:
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

CMMC Clarification:
Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two things to prove who the user says he is. One thing can be something you have, such as a device that generates a one-time passcode. Another thing can be something you know, for example, a password or passphrase. Or, another thing can be something specific to you, such as a fingerprint. Requiring two or more things to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections. After nonlocal maintenance activities are complete, shut down the external network connection.

Example
You are in charge of conducting maintenance for your organization. You are an employee working remotely. You establish a remote connection to the company’s network using the company’s VPN solution. When you log on to the remote connection, you must provide a one-time passcode and a token generated by a token device. You need both of these things to prove your identity. After you enter your password and passcode, you have access to the maintenance remote connection. When you finish your activities, you shut down the remote connection.

3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Discussion:
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.

Source: NIST Special Publication 800-171 Rev. 2

MA-4

NONLOCAL MAINTENANCE

Description:
The organization:
    a. Approves and monitors nonlocal maintenance and diagnostic activities;
    b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
    c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
    d. Maintains records for nonlocal maintenance and diagnostic activities; and
    e. Terminates session and network connections when nonlocal maintenance is completed.

Supplemental Guidance:
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02