What does MA.L2-3.7.5 require for CMMC Level 2?

When someone connects remotely for maintenance (vendor, MSP, support), they must authenticate with MFA. This applies to any nonlocal (remote) maintenance access to systems.

What evidence do I need for MA.L2-3.7.5?

Documentation of MFA implementation (what system, what factors), access logs showing MFA use, vendor or MSP agreements requiring MFA, and configuration of any remote access tools.

What's the most common failure for MA.L2-3.7.5?

Allowing remote access with username/password only. Or remote access (RDP, SSH, TeamViewer) with no second factor. MFA is not optional here.

MA.L2-3.7.5

MA.L2-3.7.5: Nonlocal Maintenance

Require multi-factor authentication (MFA) for any remote access by vendors or support personnel for maintenance purposes.

Updated March 30, 2026

Remote maintenance happens. A vendor needs to access your server. Your MSP handles a patch. Someone connects via remote desktop to troubleshoot. If that connection uses only a password, it’s a risk. MFA closes that gap. This is nonnegotiable at Level 2.

Family Maintenance

Practice MA.L2-3.7.5

Difficulty Hard

Key evidence MFA configuration, access logs, vendor agreements

What the assessor is actually evaluating

The assessor is checking: (1) What systems or tools accept remote maintenance access? (2) All of them have MFA enabled or gated by MFA? (3) Can you show that MFA was used on a recent maintenance session? Assessors will ask for access logs or audit trails proving MFA was enforced.

This is straightforward technically. The challenge is identifying all the ways remote access happens and ensuring MFA is in place for each method. Nonlocal maintenance MFA requirements connect to access control policies (AC.L2-3.1.1 and AC.L2-3.1.2) and relate to overall system maintenance processes (MA.L2-3.7.1).

What a realistic SSP definition looks like

MA.L2-3.7.5 Nonlocal Maintenance

All nonlocal (remote) maintenance access requires multi-factor authentication. Maintenance methods include:

RDP to servers: MFA via [AD/Okta/other] enforced at login
SSH to network equipment: Key-based auth plus MFA via [system]
Vendor remote tools: Access via [jump server/VPN] with MFA
MSP access: VPN connection to [gateway] requiring MFA

Remote access logs are retained in [system] and reviewed [periodically]. Vendor and MSP agreements specify MFA is required for any remote work on [Company] systems.

How to present your evidence

Gather these items:

Configuration of remote access systems showing MFA enabled (RDP, SSH, VPN, vendor tools)
Access logs from a recent maintenance session showing MFA challenge and success
Vendor and MSP agreements or contracts stating MFA is required
Documentation of what counts as "nonlocal maintenance" in your environment
If using a jump server or VPN gateway, show MFA configuration there

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "When a vendor connects remotely, what do they have to do?" A: "They connect to [VPN/jump server], authenticate with username and password, and then authenticate with MFA via [method]." [Pull up VPN or access configuration]

Q: “Can you show me a recent session?" A: “[Date], [vendor] connected. Here’s the access log showing MFA was completed.” [Pull up logs showing MFA timestamp]

Q: “What if someone doesn’t have an MFA device?" A: “We provide [method]. They can’t connect without it.”

Q: “How do you handle emergency access?" A: “Even in emergencies, we require MFA. It slows us down for [seconds] but it’s required.”

Common failures

No MFA on RDP. Remote servers accept RDP with username and password only. No second factor. This fails the control. Enable Windows MFA (NPS, conditional access) or use a VPN gateway with MFA in front of RDP.

Vendor uses proprietary tool without MFA. You allow vendor remote access via their tool (TeamViewer, ConnectWise, etc.) with no MFA. Either gate the tool behind MFA (jump server) or require the vendor to use your MFA-enabled access method.

No documentation of remote access. You have MFA, but you can't show the configuration or prove it's in use. Document your setup and show access logs to assessors.

You're good here. You use a VPN gateway with MFA for all remote access. RDP requires MFA. SSH keys plus MFA. Vendors connect through the VPN. Access logs show MFA being used on recent sessions. Assessors verify the configuration and review logs, then move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Implementation approaches

Approach 1: VPN gateway with MFA. All remote users (vendors, MSP, staff) connect to a VPN that requires MFA. Once inside, they access servers normally. This is the cleanest method.

Approach 2: MFA at the system. RDP servers require MFA via AD MFA or NPS. SSH requires key-based auth plus MFA. Requires configuration on each system.

Approach 3: Jump server. Remote users SSH or RDP to a jump/bastion server with MFA, then from there to internal systems.

Most small organizations use Approach 1 (VPN with Okta, Azure AD, or similar) or Approach 3 (jump server via AWS Systems Manager Session Manager or similar).

If you use an MSP/MSSP

MSPs often have their own remote access tools. Gate them behind your VPN with MFA. In the contract, require them to either use your VPN or provide access logs proving MFA was used on their end. Do not allow MSP remote access without MFA.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MA.L2-3.7.6: Maintenance Personnel All Practices MA.L2-3.7.4: Media Inspection →