CMMC Practice AC.L2-3.1.12

Monitor and control remote access sessions.

Monarch ISC Guidance

There's a lot packed into this one simple sentence! Since you are going to be making a remote connection to the network, you must use a trusted device that has the organizational controls for patching, anti-malware, etc. You should deploy a VPN solution which verifies the security controls before allowing the connection, or check for out of date workstations on a regular basis. It is recommended that you only permit company owned assets from making VPN connections, and not personal devices where it is more difficult to maintain and verify the security controls. You may instead utilize a remote access session via a screen sharing application, such as Citrix, in which there is no direct access from the host computer. Don't forget to get management approval for remote access, too. This could be a blanket statement covering a departement, group of users, or may be added/denied per user. You must also monitor all VPN connections, so be sure your VPN logs all successful and failed login attempts. You may have the system alert you when failed logins are detected. You should also have an IDS/IPS (Intrusion detection/prevention system) in place to monitor for malicious attempts. Don't forget to deploy multi-factor authentication for all remote access methods. It's not explicit in this Practice, but is a "must have" and will come up later on.

Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs do es not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.