Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Route remote access via managed access control points.

CMMC Clarification:
You can limit the number of remote access control points. This reduces the attack surface for organizations. Route all remote access sessions through as few points as possible. This:
• allows for better visibility into the traffic coming into the network;
• simplifies network management; and
• increases the ability to monitor and control the connections.

You are the IT administrator for a company with many locations. Several employees at different locations need to connect to the network while working remotely. Each location has its own connection to the internet. Since each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location. All remote traffic comes to one location. You have to monitor the traffic on only one device, rather than one per location. The company will not have to buy as much equipment.


Route remote access via managed access control points.

Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.

Source: NIST Special Publication 800-171 Rev. 2

AC-17 (3)


The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

Supplemental Guidance:
Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02