NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.12 — Remote Access
Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. Authorize each type of remote system access prior to establishing such connections. Route remote access to the system through authorized and managed access control points. Authorize the remote execution of privileged commands and remote access to security-relevant information.
CMMC Practice Mapping
Assessment Objectives
- types of allowable remote system access are defined.
- usage restrictions are established for each type of allowable remote system access.
- configuration requirements are established for each type of allowable remote system access.
- connection requirements are established for each type of allowable remote system access.
- each type of remote system access is authorized prior to establishing such connections.
- remote access to the system is routed through authorized access control points.
- remote access to the system is routed through managed access control points.
- remote execution of privileged commands is authorized.
- remote access to security-relevant information is authorized.
Practitioner Notes
If your employees work from home or travel, they're using remote access. You need clear rules about how they connect, what they can access remotely, and ensure all remote connections go through a managed gateway — no direct connections to internal systems.
Example 1: Deploy a VPN solution (e.g., Cisco AnyConnect, Palo Alto GlobalProtect) and configure it to require both a user certificate and MFA before granting access. On the VPN concentrator, create an access policy that limits remote users to only the network segments they need. Block split-tunneling so all traffic flows through your monitored network.
Example 2: Write a Remote Access Policy document that defines: who is authorized for remote access, what devices are allowed (company-managed only), what MFA method is required, and what data can be accessed remotely. In Azure AD, enforce this with a Conditional Access policy under Security → Conditional Access that requires a compliant/Intune-managed device and MFA for any sign-in from outside your corporate IP ranges.