AC-17 (3) Remote Access | Managed Access Control Points (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

NIST 800-53 (r4) Supplemental Guidance:

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7.

NIST 800-53 (r5) Discussion:

Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

38North Guidance:

Meets Minimum Requirement:

Use of VPN to establish encrypted connection to the information system in-scope. Implementation of a bastion host or jump server to funnel all remote access connections to a single or at least limited number of access points, thus making monitoring and controlling of connections more efficient.

Best Practice:

Organizations should limit remote access to the information system in-scope to as few remote access connections as possible to reduce the attack surface to the system. Funneling connections through a VPN, Bastion host, and/or a Jump Server will provide the necessary mechanism to limit remote access connections to the systems, rather than permitting access to the any and all information system components to individually receive remote access connections from personnel workstations without funneling through a limited set of access points.
Additionally, limiting remote access provides for easier, more efficient and manageable monitoring, logging, and controlling remote access sessions.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

Organizational policy with specific remote access usage restrictions, connection requirements, and implementation guidance. Documentation detailing the specifics of the encryption being used and how encryption for each type of remote access is configured. Artifact showing all remote access connections to the information system in-scope and the encryption type and strength.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse