CMMC AC.3.014 - Encrypt Remote Access

CMMC AC.3.014 - Encrypt Remote Access

Requirement text: AC.3.014: Employ cryptographic mechanisms to protect the confidentiality of remote
access sessions.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Cryptographic standards include FIPS-validated cryptography and NSA-approved
cryptography.

CMMC CLARIFICATION
A remote access session involves logging in to the organization's network from a remote
location such as home or an alternate work site. This remote access session must be secured
using FIPS-validated cryptography to provide confidentiality and prevent anyone from
capturing session information exchanges.

Example
As the IT administrator for your organization you are responsible for implementing a remote
network access capability for users that work offsite. In order to provide session
confidentiality, you decide to establish a TLS based Virtual Private Network mechanism. You
chose a product that has completed FIPS validation. You require user authentication rather
than mutual authentication, but you also set up two factor authentication based on a token
passcode and a user PIN before the VPN is established.

References
• NIST SP 800-171 Rev 1 3.1.13
• CIS Controls v7.1 15.7, 15.8
• NIST CSF v1.1 PR.AC-3, PR.PT-4
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-17(2)

    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC AC.2.013 - Control Remote Access

      Requirement text: AC.2.013: Monitor and control remote access sessions. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through ...

    • CMMC AC.4.032 - Restrict Remote Access

      Requirement text: AC.4.032: Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role. ...

    • CMMC AC.3.021 -Authorize Remote Access

      Requirement text: AC.3.021: Authorize remote execution of privileged commands and remote access to security-relevant information. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 A privileged command is a human-initiated (interactively or via a ...

    • CMMC AC.3.022 - Encrypt Mobile Devices

      Requirement text: AC.3.022: Encrypt CUI on mobile devices and mobile computing platforms. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of ...