AC.L2-3.1.13

  • Requirement

    Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • Discussion

    Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.

More Info

  • Title

    Remote Access Confidentiality
  • Domain

    Access Control
  • CMMC Level

    2
  • Related NIST 800-171 ID

  • Related NIST 800-53 ID

    AC-17(2)

  • DoD Scoring Methodology Points

    5

  • Reference Documents

    • N/A

  • Further Discussion

    A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. This remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges. When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or -2 requirements. Simply using an approved algorithm is not sufficient - the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. This practice, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other practices dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
    • AC.L2-3.1.12 requires the control of remote access sessions.
    • AC.L2-3.1.14 limits remote access to specific access control points.
    • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
    • IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
    • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.

    Example

    As a system administrator you are responsible for implementing a remote network access capability for users who work offsite. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b].

    Potential Assessment Considerations

    • Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient - the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!