CMMC Practice SC.2.179
Use encrypted sessions for the management of network devices.
Bold Coast Security Guidance
For Level 2 compliance, there must be a practice and formal policy requirement to only use secure protocols for managing network infrastructure components. This means disabling protocols like telnet in favor of SSH.
Management of network devices is a security critical process and needs to have confidentiality protection and authentication to protect against adversaries trying to gain information or change the network infrastructure.
Confidentiality protection prevents an adversary from sniffing passwords or configuration information. Authenticity protection includes, for example, protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services).