CMMC Practice AC.4.032
Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.
Bold Coast Security Guidance
The organization must review and codify where, when and how a user may make remote access connections. We have already suggested that you do not permit the use of personally owned devices. You should now also consider time of day and geo-location considerations to block unauthorized remote access connections.
You should also consider WHAT a user has access to when connecting. This often comes into play when allowing remote access to vendors for support purposes. They do not need access to the entire network; only the components they are supporting. Time of day and geo-location settings also come into play here.
This practice adds additional granularity to remote access restrictions based upon organization-determined factors. The example factors in the practice are provided to help explain the meaning of ‘risk factors’ as anything that adds additional context to be considered in a determination of whether to grant remote access.
The intent of this practice is to define additional context for allowed remote access and then to enforce via technical, versus just policy, means.