NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Control Family: Maintenance
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
MA.L2-3.7.5
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
MA-4
NIST Supplemental Guidance:
N/A
Discussion:
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3.
Upon assessment, assessors must determine if-
3.7.5[a] multifactor authentication is used to establish nonlocal maintenance sessions
via external network connections.
3.7.5[b] nonlocal maintenance sessions established via external network connections
are terminated when nonlocal maintenance is complete.
Assessors are instructed to-
Examine: [SELECT FROM: System maintenance policy; procedures addressing nonlocal system maintenance; system security plan; system design documentation; system configuration settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms implementing, supporting, and managing nonlocal maintenance; mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating nonlocal maintenance sessions and network connections].