Level 5 CMMC - CMMC Practices

AC.2.013  

Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Practice:
Monitor and control remote access sessions.

CMMC Clarification:
Remote access connections pass through untrusted networks and should therefore not be trusted without proper security controls in place. All remote access should implement approved encryption. This ensures the confidentiality of the data. Check connections to ensure that only authorized users and devices are connecting. Monitoring may include tracking who is accessing the network remotely and what files they are accessing during the remote session.

Example
You work from remote locations, such as your house or a client site and need access to your company’s network. The IT administrator issues you a company laptop with a VPN software installed which is required to connect to the network remotely. After you connect to the VPN, you must accept a privacy notice which states that the company’s security department may monitor your connection. They do this through the use of a network-based Intrusion Detection System (IDS). They also review audit logs to see who is connecting remotely and when. Next you see the message “Verifying compliance.” This means the system is checking your device to ensure it meets the established requirements to connect. The administrator explains that after your machine connects to the network using the VPN, you can have confidence that your session is private because your company implements approved encryption.

3.1.12

Monitor and control remote access sessions.

Discussion:
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code.

Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

[SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks.

Source: NIST Special Publication 800-171 Rev. 2

AC-17 (1)

REMOTE ACCESS | AUTOMATED MONITORING / CONTROL

Description:
The information system monitors and controls remote access methods.

Supplemental Guidance:
Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02