Remote access is access to organizational systems by users (or processes acting on behalf of
users) communicating through external networks (e.g., the Internet). Remote access
methods include dial-up, broadband, and wireless. Organizations often employ encrypted
virtual private networks (VPNs) to enhance confidentiality over remote connections. The
use of encrypted VPNs does not make the access non-remote; however, the use of VPNs,
when adequately provisioned with appropriate control (e.g., employing encryption
techniques for confidentiality protection), may provide sufficient assurance to the
organization that it can effectively treat such connections as internal networks. VPNs with
encrypted tunnels can affect the capability to adequately monitor network communications
traffic for malicious code.
Automated monitoring and control of remote access sessions allows organizations to detect
cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing
connection activities of remote users on a variety of system components (e.g., servers,
workstations, notebook computers, smart phones, and tablets).
NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and
virtual private networks.
CMMC CLARIFICATION
Remote access connections pass through untrusted networks and should therefore not be
trusted without proper security controls in place. All remote access should implement
approved encryption. This ensures the confidentiality of the data. Check connections to
ensure that only authorized users and devices are connecting. Monitoring may include
tracking who is accessing the network remotely and what files they are accessing during the
remote session.
Example
You work from remote locations, such as your house or a client site and need access to your
company’s network. The IT administrator issues you a company laptop with a VPN software
installed which is required to connect to the network remotely. After you connect to the
VPN, you must accept a privacy notice which states that the company’s security department
may monitor your connection. They do this through the use of a network-based Intrusion
Detection System (IDS). They also review audit logs to see who is connecting remotely and
when. Next you see the message “Verifying compliance.” This means the system is checking
your device to ensure it meets the established requirements to connect. The administrator
explains that after your machine connects to the network using the VPN, you can have
confidence that your session is private because your company implements approved
encryption.
Reference
• NIST SP 800-171 Rev 1 3.1.12
• CIS Controls v7.1 12.11, 12.12
• NIST CSF v1.1 PR.AC-3, PR.PT-4
• CERT RMM v1.2 TM:SG2.SP2
• NIST SP 800-53 Rev 4 AC-17(1)