NIST 800-53 REV 5 • ACCESS CONTROL

AC-17(1)Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a).

Practitioner Notes

Remote access must be monitored and controlled — you should know who is connecting remotely, from where, and what they are doing. Real-time monitoring catches suspicious connections.

Example 1: Configure your VPN appliance to send connection logs (connect, disconnect, failed attempts) to your SIEM. In Splunk, create a dashboard showing active VPN sessions, connection duration, source IP geolocation, and bandwidth usage. Flag sessions from unusual locations.

Example 2: In Azure AD, review the Sign-ins log filtered by Conditional Access → Policy: Require compliant device. Any sign-in attempts from non-compliant devices are logged as failures. Set up an alert for repeated failures from the same user or IP.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management