CMMC Requirement AC.L2-3.1.13 – Remote Access Confidentiality: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The article from the FTC focuses on how a small business can put network security first by giving the employees the tools they need. This NIST Special Publication offers recommendations for designing, configuring, and managing SSL VPN solutions. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This NIST Special Publication offers recommendations for designing, configuring, and managing IPSec VPN solutions. This sample policy provided by SANS can be customized and used to address remote access. This page from The UC Berkeley Information Security Office offers basic tips to system administrators for securing Windows Remote Desktop. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss cryptographic standards including FIPS-validated cryptography and NSA-approved cryptography.
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
Further Discussion
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Although not explicitly required to meet AC.L2-3.1.13 requirements, this remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.
This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
- Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.