CMMC Practice AC.L2-3.1.13 – Remote Access Confidentiality: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Links to Publicly Available Resources
Discussion [NIST SP 800-171 R2]
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. This remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges. When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or -2 requirements. Simply using an approved algorithm is not sufficient –the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. This practice, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other practices dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
- Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.