03.01.12: Remote Access
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-46 [14]
SP 800-77 [18]
SP 800-113 [19]
SP 800-114 [20]
SP 800-121 [21]
IR 7966 [26]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.12
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-17
AC-17(03)
AC-17(04)
a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.
b. Authorize each type of remote system access prior to establishing such connections.
c. Route remote access to the system through authorized and managed access control points.
d. Authorize the remote execution of privileged commands and remote access to security-relevant information.
Discussion:
Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. Routing remote access through managed access control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI.
Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for remote system access; remote system access configuration and connection requirements; configuration management plan; system configuration settings; remote access authorizations; system audit records; system design documentation; procedures for remote access to the system; system monitoring records; list of managed network access control points; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for managing remote access connections; personnel with information security responsibilities; system administrators]
Test [SELECT FROM: mechanisms for monitoring and controlling remote access methods; mechanisms for routing remote accesses through managed access control points; remote access management capability for the system]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.12.a[01]: types of allowable remote system access are defined.
A.03.01.12.a[02]: usage restrictions are established for each type of allowable remote system access.
A.03.01.12.a[03]: configuration requirements are established for each type of allowable remote system access.
A.03.01.12.a[04]: connection requirements are established for each type of allowable remote system access.
A.03.01.12.b: each type of remote system access is authorized prior to establishing such connections.
A.03.01.12.c[01]: remote access to the system is routed through authorized access control points.
A.03.01.12.c[02]: remote access to the system is routed through managed access control points.
A.03.01.12.d[1]: remote execution of privileged commands is authorized.
A.03.01.12.d[2]: remote access to security-relevant information is authorized