System And Communications Protection
Use encrypted sessions for the management of network devices.
When an organization connects to and manages network devices, it should use an encrypted session. The most common encrypted method is a Secure Shell (SSH). Example You are an IT administrator for your organization. You are in charge of updating devices on your network. You access these devices over the network instead of at the device’s physical location. When you establish a connection to these devices, you use an SSH connection. An SSH connection protects you. For example, an adversary has installed malware on a network device. If you use an unencrypted session (i.e., telnet into a device) the adversary can view your username and password. But, if you use an SSH connection, the adversary cannot see this information.
CMMC Management of network devices is a security critical process and needs to have confidentiality protection and authentication to protect against adversaries trying to gain information or change the network infrastructure. Confidentiality protection prevents an adversary from sniffing passwords or configuration information. Authenticity protection includes, for example, protecting against man-in-themiddle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services).
CIS Controls v7.1 11.5
SC.2.179.[a] the organization has one or more policies and/or procedures for establishing connections to manage network devices; and
SC.2.179.[b] the tools used for establishing remote connections to network devices use encryption.