AC.L2-3.1.12  

Reference: CMMC v2.13

Family: AC

Level Introduced: 2

Title: Control Remote Access

Practice:
Monitor and control remote access sessions.

Further Discussion:
Remote access connections pass through untrusted networks and therefore require proper security controls such as encryption to ensure data confidentiality. Initialization of all remote sessions should ensure that only authorized users and devices are connecting. After the remote session is established, the connection is monitored to track who is accessing the network remotely and what files are being accessed during the session.

Remote access sessions can encompass more than just remote connections back to a headquarters network. Access to cloud-based email providers or server infrastructures also are relevant to this requirement if those environments contain CUI.

This requirement, AC.L2-3.1.12, requires the control of remote access sessions and complements five other requirements dealing with remote access (AC.L2-3.1.14, AC.L2-3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
• AC.L2-3.1.14 limits remote access to specific access control points.
• AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.
• AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
• IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
• Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.

Example
You often need to work from remote locations, such as your home or client sites, and you are permitted to access your organization’s internal networks (including a network containing CUI) from those remote locations [a]. A system administrator issues you a company laptop with VPN software installed, which is required to connect to the networks remotely [b]. After the laptop connects to the VPN server, you must accept a privacy notice that states that the company’s security department may monitor the connection. This monitoring is achieved through the analysis of data from sensors on the network notifying IT if issues arise. The security department may also review audit logs to see who is connecting remotely, when, and what information they are accessing [d]. During session establishment, the message “Verifying Compliance” means software like a Device Health Check (DHC) application is checking the remote device to ensure it meets the established requirements to connect [c].

Potential Assessment Considerations
• Do policies identify when remote access is permitted and what methods must be used [a,b]?
• Are systems configured to permit only approved remote access sessions (e.g., disallow remote access sessions by default) [c]?
• Are automated or manual mechanisms employed for monitoring remote connections? If the monitoring is manual, does it occur at a frequency commensurate with the level of risk [d]?

Source: CMMC v2.13