Remote maintenance happens. A vendor needs to access your server. Your MSP handles a patch. Someone connects via remote desktop to troubleshoot. If that connection uses only a password, it’s a risk. MFA closes that gap. This is nonnegotiable at Level 2.
What the assessor is actually evaluating
The assessor is checking: (1) What systems or tools accept remote maintenance access? (2) All of them have MFA enabled or gated by MFA? (3) Can you show that MFA was used on a recent maintenance session? Assessors will ask for access logs or audit trails proving MFA was enforced.
This is straightforward technically. The challenge is identifying all the ways remote access happens and ensuring MFA is in place for each method. Nonlocal maintenance MFA requirements connect to access control policies (AC.L2-3.1.1 and AC.L2-3.1.2) and relate to overall system maintenance processes (MA.L2-3.7.1).
What a realistic SSP definition looks like
All nonlocal (remote) maintenance access requires multi-factor authentication. Maintenance methods include:
- RDP to servers: MFA via [AD/Okta/other] enforced at login
- SSH to network equipment: Key-based auth plus MFA via [system]
- Vendor remote tools: Access via [jump server/VPN] with MFA
- MSP access: VPN connection to [gateway] requiring MFA
Remote access logs are retained in [system] and reviewed [periodically]. Vendor and MSP agreements specify MFA is required for any remote work on [Company] systems.
How to present your evidence
- Configuration of remote access systems showing MFA enabled (RDP, SSH, VPN, vendor tools)
- Access logs from a recent maintenance session showing MFA challenge and success
- Vendor and MSP agreements or contracts stating MFA is required
- Documentation of what counts as "nonlocal maintenance" in your environment
- If using a jump server or VPN gateway, show MFA configuration there
Common failures
No MFA on RDP. Remote servers accept RDP with username and password only. No second factor. This fails the control. Enable Windows MFA (NPS, conditional access) or use a VPN gateway with MFA in front of RDP.
Vendor uses proprietary tool without MFA. You allow vendor remote access via their tool (TeamViewer, ConnectWise, etc.) with no MFA. Either gate the tool behind MFA (jump server) or require the vendor to use your MFA-enabled access method.
No documentation of remote access. You have MFA, but you can't show the configuration or prove it's in use. Document your setup and show access logs to assessors.
You're good here. You use a VPN gateway with MFA for all remote access. RDP requires MFA. SSH keys plus MFA. Vendors connect through the VPN. Access logs show MFA being used on recent sessions. Assessors verify the configuration and review logs, then move on.
If you use an MSP/MSSP
MSPs often have their own remote access tools. Gate them behind your VPN with MFA. In the contract, require them to either use your VPN or provide access logs proving MFA was used on their end. Do not allow MSP remote access without MFA.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Q&A: What the assessor asks
Q: “Can you show me a recent session?" A: “[Date], [vendor] connected. Here’s the access log showing MFA was completed.” [Pull up logs showing MFA timestamp]
Q: “What if someone doesn’t have an MFA device?" A: “We provide [method]. They can’t connect without it.”
Q: “How do you handle emergency access?" A: “Even in emergencies, we require MFA. It slows us down for [seconds] but it’s required.”
This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.