CMMC requires that remote maintenance sessions be terminated after use or after a defined period of inactivity. This ensures third-party maintenance access does not remain open and uncontrolled, preventing unauthorized persistence.
Exact Extracts:
MA.L2-3.7.5: “Require multifactor authentication and terminate remote maintenance sessions after each session or after a defined period of inactivity.”
Assessment Guide clarifies: “Assessors should confirm remote maintenance sessions are automatically terminated using technical means.”
NIST SP 800-171A Objective: “Test maintenance session termination after a set time of inactivity or completion of task.”
Why other options are not correct:
A: Limiting maintenance to third parties only is not a requirement. Internal staff may also perform maintenance.
B: Identification and monitoring are important, but the specific control required here is termination of remote sessions.
C: Limiting the number of personnel is not mandated by CMMC.
[References:, CMMC Assessment Guide – Level 2, Version 2.13: MA.L2-3.7.5 (pp. 147–149)., NIST SP 800-171A: Maintenance domain assessment procedures., , , ]
Submit