Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
DiscussionCryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Although not explicitly required to meet AC.L2-3.1.13 requirements, this remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.
This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
- AC.L2-3.1.12 requires the control of remote access sessions.
- AC.L2-3.1.14 limits remote access to specific access control points.
- AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
- IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
- Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.
You are responsible for implementing a remote network access capability for users who access CUI remotely. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b].
Potential Assessment Considerations
- Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.