CMMC 2.13
CMMC · Rev 2.132FAMILY AC
AC.L2-3.1.14
Remote Access Routing
Requirement
Route remote access via managed access control points.
Further discussion
The OSA can route all remote access through a limited number of remote access control points to reduce the attack surface and simplify network management. This allows for better monitoring and control of the remote connections.
This requirement, AC.L2-3.1.14, limits remote access to specific access control points and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
• AC.L2-3.1.12 requires the control of remote access sessions.
• AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions.
• AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
• IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
• Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.
Example
You manage systems for a company that processes CUI at multiple locations, and several employees at different locations need to connect to the organization’s networks while working remotely. Because each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location [a]. All remote traffic is routed through a single location to simplify monitoring [b].
Potential Assessment Considerations
• How many managed access control points are implemented [a]?
• Is all remote access routed through the managed access control points [b]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/