comp-ma-3.7.5

Require Multi-Factor Authentication for Nonlocal Maintenance

cmmc · framework · Production-ready

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Require Multi-Factor Authentication for Nonlocal Maintenance

NIST SP 800-171 Rev 2 requirement 3.7.5 mandates that organizations require multi-factor authentication to establish nonlocal maintenance sessions conducted over external network connections, ensuring that remote maintenance personnel cannot access systems using single-factor credentials alone. Nonlocal maintenance refers to any maintenance activity performed by individuals who are not physically present at the system being maintained, typically executed via remote access technologies such as VPN, RDP, SSH, or vendor-specific remote support tools. The practice has two distinct assessment objectives: first, MFA must be enforced at session establishment for all such connections; second, the nonlocal maintenance session must be explicitly terminated once the maintenance task is complete, preventing persistent unauthorized access. This requirement is grounded in the broader NIST 800-171 maintenance family, which recognizes that remote access for maintenance purposes represents a high-risk attack vector if not properly controlled. Both the authentication strength and the session lifecycle must be actively managed to satisfy this practice.

Where it stops · what it isn't

—This practice does not govern local maintenance activities performed by personnel physically present at the system console or in the same facility as the system being maintained.
—This practice does not define which authentication factors are acceptable; factor selection and credential management are governed by the Identification and Authentication domain, specifically ia-l2-3.5.3.
—This practice does not address the authorization or approval process for scheduling nonlocal maintenance; that workflow is covered under MA-3.7.1 and MA-3.7.2.
—This practice does not cover the sanitization or removal of maintenance tools after use; that is addressed under MA-3.7.4.
—This practice does not apply to standard remote access by regular users or administrators performing operational tasks; it is specifically scoped to maintenance and diagnostic activities on organizational systems.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/maintenance

REQUIRES

comp-ia-3.5.3

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.