- Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
- Authorize each type of remote access to the system prior to allowing such connections.
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.
Employ automated mechanisms to monitor and control remote access methods.
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Route remote accesses through authorized and managed network access control points.
Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and Document the rationale for remote access in the security plan for the system.
Protect information about remote access mechanisms from unauthorized use and disclosure.
Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].
Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].