CMMC Practice AC.L2-3.1.12

Control Remote Access: Monitor and control remote access sessions.

Monarch ISC Guidance

There's a lot packed into this one simple sentence! Since you are going to be making a remote connection to the network, you must use a trusted device that has the organizational controls for patching, anti-malware, etc. You should deploy a VPN solution which verifies the security controls before allowing the connection, or check for out of date workstations on a regular basis. It is recommended that you only permit company owned assets from making VPN connections, and not personal devices where it is more difficult to maintain and verify the security controls. You may instead utilize a remote access session via a screen sharing application, such as Citrix, in which there is no direct access from the host computer. Don't forget to get management approval for remote access, too. This could be a blanket statement covering a departement, group of users, or may be added/denied per user. You must also monitor all VPN connections, so be sure your VPN logs all successful and failed login attempts. You may have the system alert you when failed logins are detected. You should also have an IDS/IPS (Intrusion detection/prevention system) in place to monitor for malicious attempts. Don't forget to deploy multi-factor authentication for all remote access methods. It's not explicit in this Practice, but is a "must have" and will come up later on.

Discussion From Source

NIST SP 800-171 R2 Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.

References