This post explains practical, testable steps to validate and audit multi-factor authentication (MFA) enforcement and session termination controls for external nonlocal maintenance (remote vendor or contractor maintenance) to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (MA.L2-3.7.5) requirements for protecting Controlled Unclassified Information (CUI).
Understanding MA.L2-3.7.5 and key objectives
The core objective of MA.L2-3.7.5 is to ensure that when external parties perform nonlocal maintenance, they authenticate with strong multi-factor methods and that remote sessions are explicitly terminated when maintenance tasks complete (or after an approved idle timeout). For compliance this means: (1) enforce MFA for vendor/third-party accounts used for remote access, (2) limit the time window and duration of those sessions, and (3) maintain auditable records proving the MFA event and session termination. Practical validation evidences include configuration settings, authentication logs, access records showing MFA success, and session termination events.
Implementation steps you can apply today (Compliance Framework practical details)
Start with policy and architecture: require vendor access to go through approved bastion or jump-host infrastructure (VPN + PAM or brokered access) rather than direct access to production hosts. Implement privileged access management (PAM) or just-in-time (JIT) remote sessions so vendor accounts are ephemeral. Enforce MFA at the identity provider (IdP) or at the access gateway (e.g., Azure AD Conditional Access, Okta, Duo in front of VPN) and require use of unique, vendor-scoped accounts tied to contractual SOW and time-bounds. Configure session termination policies on the gateway, VPN, PAM, and target systems to end sessions either on explicit termination or after short inactivity (e.g., 15-60 minutes depending on risk). Document these configurations as implementation notes for auditors.
Technical configurations and concrete examples
Examples of specific technical controls small organizations can implement: (a) Azure AD: create a Conditional Access policy requiring MFA for sign-ins from contractor group + restrict access to maintenance windows via Named Locations and session controls; (b) AWS: use AWS Systems Manager Session Manager with IAM policies allowing StartSession only when a temporary role is assumed after MFA, and validate StartSession/TerminateSession events in CloudTrail; (c) SSH: place hosts behind a bastion/jump box that requires SSH certificate issuance via a Short-Lived Certificate Authority (e.g., HashiCorp Vault) and integrates with Duo or YubiKey for second factor; configure sshd with ClientAliveInterval=300 and ClientAliveCountMax=1 to force inactivity termination; (d) Windows RDP: require RD Gateway with Network Level Authentication and enforce Azure MFA/Okta MFA at the gateway, and set Group Policy "Set time limit for active but idle Remote Desktop Services sessions" to a defined value. Record the exact configuration files or policy IDs as evidence (e.g., CloudTrail StartSession records, Azure signInLogs, syslog lines in /var/log/auth.log, or the PAM audit trail).
How to audit and validate — step-by-step test plan
Audit steps to produce objective evidence: 1) Identify the vendor account(s) and the access path (VPN, bastion, remote support tool). 2) Perform a test maintenance session with a controlled contractor account: initiate remote access, and capture the authentication flow showing MFA (IdP sign-in logs, VPN logs, or MFA vendor logs). 3) While the session is active, verify portal/gateway logs show session start (timestamp, source IP, user, MFA method). 4) When the maintenance ends, terminate the session and collect logs showing explicit session termination (CloudTrail TerminateSession, VPN disconnect logs, SSH session closed entry, Windows Event 4634 for logoff). 5) Repeat and verify idle timeout triggers session termination by leaving an active session idle and observing the disconnection event and correlated alert. 6) Validate log integrity and retention: ensure logs are forwarded to a SIEM or immutable storage and retained for the period defined by your policy/contract. Capture screenshots or export CSV/JSON logs as artifacts for the compliance package.
Small business scenarios and low-cost practical options
Small businesses without enterprise PAM tools can still meet requirements: use a cloud IdP (Azure AD Free tiers or Google Workspace) with Conditional Access or simple SAML SSO + an MFA provider (Duo, Authy, Google Authenticator) in front of remote support tools (TeamViewer/AnyDesk with SSO) and require one-time vendor accounts. Use a hardened, single-purpose jump VM in the cloud that logs all SSH/RDP sessions (and optionally records session keystrokes via open-source tools) and enforce MFA at the jump. Require vendors to use screen-shared sessions only through the broker, not direct host credentials. For evidence, export sign-in reports from the IdP and VPN logs and attach vendor signed statements with timestamps and session IDs for the maintenance window.
Compliance tips, best practices, and automation
Best practices include: implement least privilege and JIT access (create vendor roles with an expiration), incorporate contractual access windows in SOWs, maintain an approved vendor access register, and automate provisioning/deprovisioning. Automate validation using scripts: example checks include parsing /var/log/auth.log or journalctl for SSH session close entries, querying Azure SignInLogs via Microsoft Graph for Conditional Access enforcement, and using CloudTrail lookup-events for SessionManager Start/Terminate events. Build SIEM rules to alert on sessions without a corresponding MFA success record, or on vendor accounts that remain active outside approved windows. Keep a checklist of required evidence for each maintenance event (MFA assertion, session start, session termination, and vendor acceptance)."
Risks of failing to implement MA.L2-3.7.5
Not enforcing MFA or failing to terminate remote maintenance sessions creates high-impact risks: a compromised vendor credential can provide persistent, privileged access allowing lateral movement, data theft, or insertion of malicious backdoors. Persistent idle sessions are an easy attack vector for threat actors to regain access after initial compromise. From a compliance and business perspective, failure may lead to CUI exposure, contract penalties, loss of DoD contracts, and reputational damage. Auditors will expect demonstrable, repeatable evidence that MFA was required and sessions were closed — lacking that increases finding severity and remediation burden.
Summary — the practical path forward is straightforward: mandate vendor access through a controlled gateway or PAM, enforce MFA at the gateway/IdP, configure and test session timeouts and explicit termination, and collect correlated logs proving MFA and termination events. Use small-business-friendly tools (cloud IdP + MFA + jump host) if you lack enterprise PAM, create a reproducible test plan to generate audit artifacts, and automate checks in your SIEM to alert on policy deviations. Following these steps will provide both real security improvements and auditable evidence to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 MA.L2-3.7.5.
