David at 01:22, 16 March 2025

2025-03-16T01:22:57Z

← Older revision		Revision as of 01:22, 16 March 2025
Line 13:		Line 13:
	'''Examine'''		'''Examine'''

	[SELECT FROM: Access control policy; procedures addressing remote access to the system;system security plan;system design documentation;system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].		[SELECT FROM: Access control policy; procedures addressing remote access to the system; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].

	'''Interview'''		'''Interview'''

David at 22:33, 15 March 2025

2025-03-15T22:33:47Z

← Older revision		Revision as of 22:33, 15 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY == === SECURITY REQUIREMENT === Employ cryptographic mechanisms to protect the confidentiality of remote access se..."

2022-02-26T05:29:16Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY == === SECURITY REQUIREMENT === Employ cryptographic mechanisms to protect the confidentiality of remote access se..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== AC.L2-3.1.13 – REMOTE ACCESS CONFIDENTIALITY ==
=== SECURITY REQUIREMENT ===
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
: [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: Access control policy; procedures addressing remote access to the system;system security plan;system design documentation;system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].

'''Interview'''

[SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].

'''Test'''

[SELECT FROM: Cryptographic mechanisms protecting remote access sessions].
=== DISCUSSION ===
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
=== FURTHER DISCUSSION ===
A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site. This remote access session must be secured using FIPS-validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges.

When CMMC requires cryptography, it is to protect the confidentiality of CUI. FIPS-validated cryptography means the cryptographic module has to have been tested and validated to meet FIPS 140-1 or -2 requirements. Simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140. Accordingly, FIPS-validated cryptography is required to meet CMMC practices that protect CUI when transmitted or stored outside the protected environment of the covered contractor information system (including wireless/remote access). Encryption used for other purposes, such as within applications or devices within the protected environment of the covered contractor information system, would not need to be FIPS-validated. This practice, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other practices dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5):
* AC.L2-3.1.12 requires the control of remote access sessions.
* AC.L2-3.1.14 limits remote access to specific access control points.
* AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session.
* IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts.
* Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions.

'''Example'''

As a system administrator you are responsible for implementing a remote network access capability for users who work offsite. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b].

'''Potential Assessment Considerations'''
* Are cryptographic mechanisms used for remote access sessions (e.g., Transport Layer Security (TLS) and Internet Protocol Security (IPSec) using FIPS-validated encryption algorithms) defined and implemented [a,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.1.13

Practice AC.L2-3.1.13 Details - Revision history

David at 01:22, 16 March 2025

David at 22:33, 15 March 2025