Nonlocal Maintenance: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Monarch ISC Guidance
There is no way to overstate the importance of employing multifactor authentication for all remote access connections. With the prevalence of easy-to-crack passwords, the sophistication of password cracking tools, which include aggregated password data from hundreds of breach events so that "password spraying" is usually successful at compromising user credentials, it is critical to require another user challenge after the username and password are entered. That challenge can be an SMS text message, a code-generator app, a phone call requiring a PIN code be entered, or a code-generating token.
The higher the risk of the authentication, the more control should be employed. Remote access connections present high inherent risk due to the fact that remote resources are accessible beyond the physical network you control.
NIST SP 800-171 R2
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA.L2-3.5.3.