NIST 800-171 • LEVEL 2 • MAINTENANCE
3.7.5 — Nonlocal Maintenance
Approve and monitor nonlocal maintenance and diagnostic activities. Implement multi-factor authentication and replay resistance in the establishment of nonlocal maintenance and diagnostic sessions. Terminate session and network connections when nonlocal maintenance is completed.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- nonlocal maintenance and diagnostic activities are approved.
- nonlocal maintenance and diagnostic activities are monitored.
- session connections are terminated when nonlocal maintenance is completed.
- network connections are terminated when nonlocal maintenance is completed.
- multi-factor authentication is implemented in the establishment of nonlocal maintenance and diagnostic sessions.
- replay resistance is implemented in the establishment of nonlocal maintenance and diagnostic sessions.
Practitioner Notes
Nonlocal maintenance means remote maintenance — someone fixing your systems from outside your facility over a network connection. This is common with managed service providers and vendor support, and it needs strong controls.
Example 1: Require all remote maintenance sessions to authenticate through your VPN with MFA enabled (e.g., Cisco AnyConnect or Palo Alto GlobalProtect with Duo or Microsoft Authenticator as the second factor). When the maintenance session is over, terminate the VPN connection and verify the session ended in your VPN logs.
Example 2: Use a Privileged Access Management (PAM) tool like CyberArk or BeyondTrust that provides session recording, just-in-time access, and automatic credential rotation after each remote maintenance session. The session recording gives you an audit trail and the credential rotation prevents reuse.