Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY AC

AC.L2-3.1.14

Remote Access Routing

Requirement

Route remote access via managed access control points.

Further discussion

The OSA can route all remote access through a limited number of remote access control points to reduce the attack surface and simplify network management. This allows for better monitoring and control of the remote connections. This requirement, AC.L2-3.1.14, limits remote access to specific access control points and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): • AC.L2-3.1.12 requires the control of remote access sessions. • AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions. • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session. • IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts. • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions. Example You manage systems for a company that processes CUI at multiple locations, and several employees at different locations need to connect to the organization’s networks while working remotely. Because each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location [a]. All remote traffic is routed through a single location to simplify monitoring [b]. Potential Assessment Considerations • How many managed access control points are implemented [a]? • Is all remote access routed through the managed access control points [b]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/