NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Control Family: Maintenance

Control Type: Derived

SPRS Value: 5

SPRS Supplemental Guidance: N/A

CMMC Level(s): MA.L2-3.7.5

Top Ten Failed Requirement:

No

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

  • MA-4

NIST Supplemental Guidance:

N/A

Discussion:

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.

Upon assessment, assessors must determine if-

3.7.5[a] multifactor authentication is used to establish nonlocal maintenance sessions
via external network connections.
3.7.5[b] nonlocal maintenance sessions established via external network connections
are terminated when nonlocal maintenance is complete.

Assessors are instructed to-

Examine: [SELECT FROM: System maintenance policy; procedures addressing nonlocal system maintenance; system security plan; system design documentation; system configuration settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; system or network administrators].

Test: [SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms implementing, supporting, and managing nonlocal maintenance; mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating nonlocal maintenance sessions and network connections].

FURTHER DISCUSSION

Nonlocal maintenance activities must use multifactor authentication. Multifactor authentication requires at least two factors, such as:

  • something you know (e.g., password, personal identification number [PIN]);

  • something you have (e.g., cryptographic identification device, token); or

  • something you are (e.g., biometric fingerprint or facial scan).

Requiring two or more factors to prove your identity increases the security of the connection. Nonlocal maintenance activities are activities conducted from external network connections such as over the internet. After nonlocal maintenance activities are complete, shut down the external network connection.

This requirement, MA.L2-3.7.5 specifies the addition of multifactor authentication for remote maintenance sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, and IA.L2-3.5.3):

  • AC.L2-3.1.12 requires the control of remote access sessions.

  • AC.L2-3.1.14 limits remote access to specific access control points.

  • AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.

  • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.

  • Finally, IA.L2-3.5.3 requires multifactor authentication for network access to nonprivileged accounts.

Example

You are responsible for maintaining your company’s firewall. In order to conduct maintenance while working remotely, you connect to the firewall’s management interface and log in using administrator credentials. The firewall then sends a verification request to the multifactor authentication app on your smartphone [a]. You need both of these things to prove your identity [a]. After you respond to the multifactor challenge, you have access to the maintenance interface. When you finish your activities, you shut down the remote connection by logging out and quitting your web browser [b].

Potential Assessment Considerations

  • Is multifactor authentication required prior to maintenance of a system when connecting remotely from outside the system boundary [a]?

  • Are personnel required to manually terminate remote maintenance sessions established via external network connections when maintenance is complete, or are connections terminated automatically through system session management mechanisms [b]?