GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.7.5: Multifactor Authentication for Maintenance

Control 3.7.5 requires multifactor authentication for any nonlocal maintenance sessions established through external network connections. This control prevents unauthorized remote access to critical systems by enforcing strong identity verification and automatic session termination. For SMBs handling sensitive data, implementing MFA for maintenance access is essential to meet NIST 800-171 requirements.

What this means

When IT personnel or vendors need to access your systems remotely for maintenance, support, or troubleshooting, they must authenticate using at least two factors (something they know, have, or are). Once the maintenance work is complete, the external connection must be immediately terminated. This prevents threat actors from using leaked or stolen credentials to maintain persistent access to your infrastructure.

How to comply

  1. 1.Identify all nonlocal maintenance pathways, including remote desktop sessions, SSH connections, VPNs, and vendor support tools
  2. 2.Enforce MFA on all external maintenance accounts, requiring a second factor beyond passwords (TOTP, hardware keys, push notifications)
  3. 3.Document maintenance session policies, including approval workflows and duration limits
  4. 4.Configure automatic session timeout and connection termination when maintenance tasks are complete
  5. 5.Audit and log all MFA-authenticated maintenance sessions with user identity, timestamp, and actions performed
  6. 6.Train authorized maintenance personnel and vendors on MFA usage and session termination procedures

Evidence auditors look for

  • MFA configuration screenshots from VPN, SSH, or remote access platforms showing enforcement for maintenance accounts
  • Access logs demonstrating MFA authentication before maintenance sessions initiated
  • Session termination logs showing automatic or manual connection closure after maintenance completion
  • Policy documentation defining maintenance access procedures, MFA requirements, and session lifecycle
  • Vendor agreements or statements of work confirming MFA compliance for remote support activities
  • Azure AD, Okta, or similar IAM platform reports showing MFA enrollment and successful authentication events for maintenance roles

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically tracks MFA deployment across your maintenance accounts, logs all authenticated sessions, and alerts when external connections remain active longer than expected—eliminating manual monitoring of 3.7.5 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.1.1 - Logical and Physical Access Controls3.4.2 - Session Lock3.5.10 - Information System Monitoring3.8.3 - Session Termination