CMMC Practice AC.2.013

Monitor and control remote access sessions.


CMMC Version 1.02, pg. 62

Bold Coast Security Guidance

There's a lot packed into this one simple sentence! Since you are going to be making a remote connection to the network, you must use a trusted device that has the organizational controls for patching, anti-malware, etc. You should deploy a VPN solution which verifies the security controls before allowing the connection, or check for out of date workstations on a regular basis. It is recommended that you only permit company owned assets from making VPN connections, and not personal devices where it is more difficult to maintain and verify the security controls. You may instead utilize a remote access session via a screen sharing application, such as Citrix, in which there is no direct access from the host computer. Don't forget to get management approval for remote access, too. This could be a blanket statement covering a departement, group of users, or may be added/denied per user. You must also monitor all VPN connections, so be sure your VPN logs all successful and failed login attempts. You may have the system alert you when failed logins are detected. You should also have an IDS/IPS (Intrusion detection/prevention system) in place to monitor for malicious attempts. Don't forget to deploy multi-factor authentication for all remote access methods. It's not explicit in this Practice, but is a "must have" and will come up later on. Finally, to measure this effectiveness of your ability to monitor and control VPN connections, we suggest a monthly report of successful VPN connections, to ensure it is still needed and in use, and a count of failed login attempts. These should both be a relatively steady numbers; a sharp increase in either may indicate an attempt to breach your VPN. You can also monitor geolocation attempts. Most VPN connections will occur from employee homes, and an attempted connection from outside the United States should be investigated.

Discussion From Source

DRAFT NIST SP 800-171 R2 Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs do es not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.