CMMC Requirement AC.L2-3.1.13 – Remote Access Confidentiality: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
The following provides a sample mapping between the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 and AWS managed Config rules. Each Config rule applies to a specific AWS resource, and relates to one or more CMMC 2.0 Level 2 controls. A CMMC 2.0 Level 2 control can be related to multiple Config rules. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Offers actionable guidance on how to map Access Control CMMC Requirements to specific configurations in Microsoft Entra ID (Formerly Azure AD). Offers practical configuration steps to protect Remote Desktop Protocol (RDP) sessions using built-in Windows cryptographic protections. Appropriate for small teams using RDP for remote access. Provides updated technical guidance for securing remote desktop environments hosted in Azure, including encryption, session controls, and identity protections. This NIST Special Publication offers recommendations for designing, configuring, and managing SSL VPN solutions. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This NIST Special Publication offers recommendations for designing, configuring, and managing IPSec VPN solutions. This sample policy provided by SANS can be customized and used to address remote access. Video explaining CMMC 2.0 Control AC.L2-3.1.13: Secure Remote Access Sessions Cryptographically
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
Further Discussion
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Although not explicitly required to meet AC.L2-3.1.13 requirements, this remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.
This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
- Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.