UnderCMMC 2.0 Level 2, which aligns with the requirements ofNIST SP 800-171, maintaining robust control overnonlocal maintenance sessionsis critical. While multifactor authentication (MFA) is a required safeguard for secure access, additional measures must be implemented to fully meet the maintenance requirements as outlined inControl 3.3.5:
Key Requirements for Nonlocal Maintenance:
* Termination of Nonlocal Maintenance Sessions:
* To reduce the attack surface and prevent unauthorized access, nonlocal maintenance connections must be terminated immediately after the maintenance activity is completed. This is a direct requirement to mitigate risks associated with lingering remote sessions that could be exploited by threat actors.
* Supporting Reference:NIST SP 800-171, Control 3.3.5 states: "Ensure that remote maintenance is conducted in a controlled manner and disable connections immediately after use."
* Multifactor Authentication (MFA):
* OSCs are required to implement MFA for nonlocal remote maintenance sessions. MFA must includeat least two factors(e.g., something you know, something you have, or something you are).
* While the OSC's use of MFA satisfies part of the requirement, it does not complete the control unless proper termination procedures are in place.
* Policy and Procedure Adherence:
* The OSC must also document amaintenance policyand ensure it reflects the need for terminating connections post-maintenance. The policy should outline roles, responsibilities, and steps for ensuring secure nonlocal maintenance practices.
Incorrect Options:
* B. Unlimited connections:Allowing unrestricted nonlocal maintenance sessions is a significant security risk and violates the principle of least privilege.
* C. Removing restrictions:Removing restrictions for convenience directly undermines compliance and security.
* D. Multifactor authentication details:While MFA is necessary, the question states the OSC already uses it. Termination of sessions is the missing requirement.
Conclusion:
The requirement toterminate nonlocal maintenance sessions after maintenance is complete(Option A) is critical for compliance withCMMC 2.0 Level 2andNIST SP 800-171, Control 3.3.5. This ensures that nonlocal maintenance activities are secured against unauthorized access and potential vulnerabilities.