AC.2.013

Control Acronym

AC

Family

Access Control

CMMC Level

2

800-171 Control #

3.1.12

CMMC Description

Monitor and control remote access sessions.

CMMC Clarification

Remote access connections pass through untrusted networks and should therefore not be trusted without proper security controls in place. All remote access should implement approved encryption. This ensures the confidentiality of the data. Check connections to ensure that only authorized users and devices are connecting. Monitoring may include tracking who is accessing the network remotely and what files they are accessing during the remote session. Example You work from remote locations, such as your house or a client site and need access to your company’s network. The IT administrator issues you a company laptop with a VPN software installed which is required to connect to the network remotely. After you connect to the VPN, you must accept a privacy notice which states that the company’s security department may monitor your connection. They do this through the use of a network-based Intrusion Detection System (IDS). They also review audit logs to see who is connecting remotely and when. Next you see the message “Verifying compliance.” This means the system is checking your device to ensure it meets the established requirements to connect. The administrator explains that after your machine connects to the network using the VPN, you can have confidence that your session is private because your company implements approved encryption.

800-171 Description

Monitor and control remote access sessions.

800-171 Discussion

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 12.11, 12.12

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-17(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.12

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AC-3, PR.PT-4

CERT RMM Reference

CERT RMM v1.2 TM:SG2.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.2.013.[a] remote access sessions are permitted;

Assessment Sub-Criteria 2

AC.2.013.[b] the types of permitted remote access are identified;

Assessment Sub-Criteria 3

AC.2.013.[c] remote access sessions are controlled; and

Assessment Sub-Criteria 4

AC.2.013.[d] remote access sessions are monitored.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15