NIST 800-53 REV 5 • ACCESS CONTROL

AC-17(2)Protection of Confidentiality and Integrity Using Encryption

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions.

Practitioner Notes

Remote access sessions must be encrypted to protect confidentiality and integrity. No one should be able to sniff your remote sessions and read the data.

Example 1: Configure your VPN to use IKEv2 with AES-256 encryption and SHA-256 integrity. In Cisco AnyConnect, verify the connection profile uses ESP-AES-256 for encryption and ESP-SHA-HMAC for integrity. Disable older protocols like PPTP and L2TP without IPSec.

Example 2: For RDP access, configure the GPO at Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Security → "Set client connection encryption level" to High Level and require Network Level Authentication (NLA). This ensures the RDP session is encrypted before credentials are transmitted.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management