3.1.13 — Employ Cryptographic Mechanisms to Protect the Confidentiality of Remote Access Sessions

Any remote session must be encrypted end to end. If someone is working from home and connecting to your network, that connection needs to be wrapped in strong encryption so nobody eavesdropping on the Wi-Fi can see CUI in transit.

Example 1: On your VPN appliance (e.g., Palo Alto GlobalProtect), go to Network → IPSec Tunnels → Crypto Profile and ensure you are using AES-256 encryption with SHA-256 integrity and DH Group 14 or higher. Disable any legacy protocols like 3DES or MD5. Document these settings in your SSP.

Example 2: For remote desktop access, configure RDP to use TLS 1.2 or higher via GPO at Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → "Require use of specific security layer for remote (RDP) connections" set to SSL (TLS 1.2). Also set "Set client connection encryption level" to High.