Reference: CMMC v2.13
Family: AC
Level Introduced: 2
Title: Remote Access Routing
Practice:
Route remote access via managed access control points.
Further Discussion:
The OSA can route all remote access through a limited number of remote access control points to reduce the attack surface and simplify network management. This allows for better monitoring and control of the remote connections.
This requirement, AC.L2-3.1.14, limits remote access to specific access control points and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
• AC.L2-3.1.12 requires the control of remote access sessions.
• AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.
• AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
• IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
• Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.
Example
You manage systems for a company that processes CUI at multiple locations, and several employees at different locations need to connect to the organization’s networks while working remotely. Because each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location [a]. All remote traffic is routed through a single location to simplify monitoring [b].
Potential Assessment Considerations
• How many managed access control points are implemented [a]?
• Is all remote access routed through the managed access control points [b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.