Remote/nonlocal maintenance requires MFA and is torn down when done.
What it actually means
When maintenance happens over an external network (a vendor remoting in), it must use MFA, and the connection must be terminated when the work is done — no lingering remote-maintenance tunnels. Ties maintenance to your MFA and remote-access controls.
Pass or fail — an assessor needs a "yes" to each
- Nonlocal maintenance sessions require MFA.
- Sessions are terminated when maintenance completes.
- Remote-maintenance access is logged.
What to have ready
- MFA enforcement on maintenance access paths
- Session termination evidence/procedure
- Logs of remote maintenance
Where teams trip up
- Vendor remote access without MFA
- Persistent remote-maintenance tunnels left open
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →