AC.L2-3.1.14  

Reference: CMMC v2.13

Family: AC

Level Introduced: 2

Title: Remote Access Routing

Practice:
Route remote access via managed access control points.

Further Discussion:
The OSA can route all remote access through a limited number of remote access control points to reduce the attack surface and simplify network management. This allows for better monitoring and control of the remote connections.

This requirement, AC.L2-3.1.14, limits remote access to specific access control points and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
• AC.L2-3.1.12 requires the control of remote access sessions.
• AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.
• AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
• IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
• Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.

Example
You manage systems for a company that processes CUI at multiple locations, and several employees at different locations need to connect to the organization’s networks while working remotely. Because each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location [a]. All remote traffic is routed through a single location to simplify monitoring [b].

Potential Assessment Considerations
• How many managed access control points are implemented [a]?
• Is all remote access routed through the managed access control points [b]?

Source: CMMC v2.13