Level 5 CMMC - CMMC Practices

AC.3.014  

Reference: CMMC 1.02

Family: AC

Level Introduced: 3

Practice:
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

CMMC Clarification:
A remote access session involves logging in to the organization's network from a remote location such as home or an alternate work site. This remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from capturing session information exchanges.

Example
As the IT administrator for your organization you are responsible for implementing a remote network access capability for users that work offsite. In order to provide session confidentiality, you decide to establish a TLS based Virtual Private Network mechanism. You chose a product that has completed FIPS validation. You require user authentication rather than mutual authentication, but you also set up two factor authentication based on a token passcode and a user PIN before the VPN is established.

3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Discussion:
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.

See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.

Source: NIST Special Publication 800-171 Rev. 2

AC-17 (2)

REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

Description:
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Supplemental Guidance:
The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02