CMMC Practice AC.2.015
Route remote access via managed access control points.
Bold Coast Security Guidance
You want to route remote access through as few VPN gateways as possible. Even if you have many offices, you should only have a single, primary VPN connection, and a backup for that connection (if you determine VPN redundancy is required).
Be aware that users may attempt to circumvent this control by installing an enabling a third party software which allows a connection directly to their PC, such as LogMeIn, TeamViewer, or GoToMyPC. You must prohibit the use of this software and block it if possible. This can be tricky as often these solutions may also block permitted screen sharing applications popular for virtual meetings.
The measure the effectiveness, we recommend the organization records IDS events which indicate an attempt to use unauthorized remote access software. If the use continues, the organization should take additional steps to train staff, block such software, and possibly enforce disciplinary actions.
DRAFT NIST SP 800-171 R2
Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.