Reference: CMMC 2.0
Family: AC
Level Introduced: 2
Title: Control Remote Access
Practice:
Monitor and control remote access sessions.
CMMC Clarification:
Remote access connections pass through untrusted networks and should therefore not be trusted without proper security controls in place. All remote access should implement approved encryption. This ensures the confidentiality of the data. Check connections to ensure that only authorized users and devices are connecting. Monitoring may include tracking who is accessing the network remotely and what files they are accessing during the remote session.
Example
You work from remote locations, such as your house or a client site and need access to your company's network. The IT administrator issues you a company laptop with a VPN software installed which is required to connect to the network remotely. After you connect to the VPN, you must accept a privacy notice which states that the company's security department may monitor your connection. They do this through the use of a network-based Intrusion Detection System (IDS). They also review audit logs to see who is connecting remotely and when. Next you see the message "Verifying compliance." This means the system is checking your device to ensure it meets the established requirements to connect. The administrator explains that after your machine connects to the network using the VPN, you can have confidence that your session is private because your company implements approved encryption.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.