Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.

CMMC Clarification

This practice adds context about the user and the specific access attempt before network access is granted. First, the organization must identify attributes that are important for managing the risk of remote network access. Then, the administrator restricts remote access based on the state of these attributes. The remote access control mechanism must be enhanced to check the attributes such as the subject’s location, the state of the network (e.g., running services, resources available, traffic statistics, network hosts in the local network and traffic patterns between nodes), host posture, time-of-day, expected behavior associated with the user's role, and normal behavior for the user based on previous use. All the attributes checked must be within tolerance for the user requesting remote access. The organization is not limited to these attributes or required to use these attributes. One possible approach could include: * a policy database or the organization determined access policy * an attribute database for subjects, the environment and resources * a policy enforcement engine leveraging a policy language like XACML to check the policy and attributes before access is granted. Example You are an employee who typically works from home using a corporately owned laptop. You request access from your laptop to a server containing network diagrams for a system you are designing, and access is granted. You also have a personal tablet which you only use for email via a corporate web site when travelling to a sponsor's location. Since you are traveling more and more frequently, you request access to the server using the tablet to support your engineering work. Since the device is personally owned, the host posture attribute is not satisfied. As a result your network access request from the tablet is denied.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC This practice adds additional granularity to remote access restrictions based upon organization-determined factors. The example factors in the practice are provided to help explain the meaning of ‘risk factors’ as anything that adds additional context to be considered in a determination of whether to grant remote access. The intent of this practice is to define additional context for allowed remote access and then to enforce via technical, versus just policy, means.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15