• Requirement

    Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

  • Discussion

    Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.

More Info

  • Title

    Remote Access Confidentiality
  • Domain

    Access Control
  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

    • N/A

  • Further Discussion

    A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Although not explicitly required to meet AC.L2-3.1.13 requirements, this remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.

    This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):

    • AC.L2-3.1.12 requires the control of remote access sessions.
    • AC.L2-3.1.14 limits remote access to specific access control points.
    • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
    • IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
    • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.


    You are responsible for implementing a remote network access capability for users who access CUI remotely. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b].

    Potential Assessment Considerations

    • Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!