UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust control overnonlocal maintenance sessionsis critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined inControl 3.3.5:
Key Requirements for Nonlocal Maintenance:
Termination of Nonlocal Maintenance Sessions:
To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connectionsmust be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.
Supporting Reference:NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."
Multifactor Authentication (MFA):
OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat least two factors(e.g., something you know, something you have, or something you are).
While the OSC’s use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.
Policy and Procedure Adherence:
The OSC must also document amaintenance policyand ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.
Incorrect Options:
B. Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.
C. Removing restrictions:Removing restrictions for convenience directly undermines compliance and security.
D. Multifactor authentication details:While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.
Conclusion:
The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.
