AC-17: Remote Access

Control Family:

Access Control

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:


Previous Version:

Control Statement

  1. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
  2. Authorize each type of remote access to the system prior to allowing such connections.

Supplemental Guidance

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.

Control Enhancements

AC-17(4): Privileged Commands and Access


  • Moderate
  • High

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and Document the rationale for remote access in the security plan for the system.

AC-17(9): Disconnect or Disable Access


(Not part of any baseline)

Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].

AC-17(10): Authenticate Remote Commands


(Not part of any baseline)

Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].