AC-17: Remote Access

Control Family:

Access Control

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Baselines:

Next Version:

Control Statement

The organization:

  1. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
  2. Authorizes remote access to the information system prior to allowing such connections.

Supplemental Guidance

Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.

Control Enhancements

AC-17(3): Managed Access Control Points

Baseline(s):

  • Moderate
  • High

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

AC-17(4): Privileged Commands / Access

Baseline(s):

  • Moderate
  • High

The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and Documents the rationale for such access in the security plan for the information system.

AC-17(6): Protection Of Information

Baseline(s):

(Not part of any baseline)

The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

AC-17(9): Disconnect / Disable Access

Baseline(s):

(Not part of any baseline)

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period].