NIST 800-53 REV 5 • MAINTENANCE

MA-4(4)Authentication and Separation of Maintenance Sessions

Protect nonlocal maintenance sessions by: Employing {{ insert: param, ma-04.04_odp }} ; and Separating the maintenance sessions from other network sessions with the system by either: Physically separated communications paths; or Logically separated communications paths.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Communications paths can be logically separated using encryption.

Practitioner Notes

Remote maintenance sessions need strong authentication and network separation. You do not want maintenance traffic mixed in with regular user traffic where it could be intercepted or misrouted.

Example 1: Set up a dedicated management VLAN for remote maintenance connections. Configure your firewall to only allow maintenance traffic from authorized IPs into this VLAN. Require multi-factor authentication (smart card or MFA app) for all maintenance sessions.

Example 2: Use Azure AD Conditional Access to require MFA and a compliant device for any remote session that accesses management interfaces. Separate maintenance sessions by using a dedicated jump server or Azure Bastion host that provides session isolation from the production network.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities