Protect nonlocal maintenance sessions by:
(a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
(b) Separating the maintenance sessions from other network sessions with the system by either:
(1) Physically separated communications paths; or
(2) Logically separated communications paths.
Communications paths can be logically separated using encryption.