AC.L2-3.1.12: Monitor and control remote access sessions

📖 What This Means

This control requires organizations to actively track and manage remote connections to their systems. It means ensuring that only authorized users can access your network from outside locations, and that their activities are logged and reviewed. Think of it like having a security guard at a building entrance who checks IDs, records who comes and goes, and can kick out anyone misbehaving. For example, if an employee works from home, you need to verify their identity, limit what they can do remotely, and log their actions. Another example: if a vendor needs temporary access to fix a system, you'd give them limited-time credentials and monitor what they do during the session.

🎯 Why It Matters

Uncontrolled remote access is a top attack vector for data breaches. A 2022 Verizon report found that 60% of breaches involved credential misuse, often through remote access. Attackers exploit weak remote access controls to steal sensitive data or deploy ransomware. For defense contractors, a single compromised remote session could expose Controlled Unclassified Information (CUI) to foreign adversaries. The DoD prioritizes this control because remote work has expanded attack surfaces - a 2023 Pentagon audit found 40% of contractor breaches started with remote access vulnerabilities. Potential impacts include $5M+ in breach costs (per IBM's 2023 report), loss of contracts, and national security risks.

✅ How to Implement

1. Enable Azure AD Conditional Access or AWS IAM policies to enforce MFA for all remote users
2. Configure session timeout policies (max 30 minutes inactivity) in Azure Virtual Desktop or AWS Workspaces
3. Deploy CloudWatch (AWS) or Azure Monitor to log all remote access attempts and sessions
4. Use AWS Session Manager or Azure Bastion for secure remote admin access instead of open RDP/SSH
5. Set up alerts for anomalous remote access patterns (e.g., odd hours, multiple failed logins)

⏱️

Estimated Effort

2-3 days for basic implementation (mid-level IT skills), plus ongoing monitoring. Cloud setups are faster (1-2 days) if using native tools.

📋 Evidence Examples

Remote Access Policy

Format: PDF/DOCX

Frequency: Annual review

Contents: Defines who can access systems remotely, required controls (MFA, time limits), and monitoring procedures

Collection: Export from document management system

VPN Access Logs

Format: CSV/EVTX

Frequency: Monthly

Contents: Timestamps, user IDs, connection durations, and source IPs

Collection: Export from firewall/VPN appliance

Session Recording Sample

Format: MP4/Log

Frequency: Quarterly

Contents: 5% sample of recorded privileged remote sessions

Collection: Random export from session recording tool

Access Review Report

Format: PDF

Frequency: Quarterly

Contents: Documentation of quarterly review to remove stale remote access accounts

Collection: Generate from IAM system

Alert Investigation Log

Format: TXT/PDF

Frequency: Per incident

Contents: Documentation of actions taken on remote access security alerts

Collection: Export from SIEM/ticketing system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.12 ("Monitor and control remote access sessions"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.12 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to monitor and control remote access sessions. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.12 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to monitor and control remote access sessions. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.12 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all access points to CUI systems (VPN, direct network, cloud portals)
• Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
• Map user roles to system access levels
• Ensure this control covers all systems within your defined CUI boundary where monitor and control remote access sessions applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Access Control Policy
📄 IAM configuration documentation
📄 Access request and approval records
📄 Evidence artifacts specific to AC.L2-3.1.12
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we maintain an up-to-date list of personnel authorized for remote access?

✅ YES → Proceed to Q2

❌ NO → GAP: Create an access control matrix in your IAM system. Remediate within 1 week.

Remediation:

Document authorized users in a spreadsheet or IAM tool, with manager approvals

Question 2: Is multi-factor authentication (MFA) required for all remote access methods?

✅ YES → Proceed to Q3

❌ NO → GAP: Enable MFA on VPN/RDP. Use Azure MFA or Duo for quick implementation (3 days max).

Remediation:

Configure MFA in your identity provider or VPN solution

Question 3: Are remote sessions automatically terminated after 30 minutes of inactivity?

✅ YES → Proceed to Q4

❌ NO → GAP: Set inactivity timeouts in Group Policy (Windows) or SSH config (Linux) within 2 days.

Remediation:

Configure 'MaxDisconnectionTime' in RDP or 'ClientAliveInterval' in SSH

Question 4: Do we log and retain remote access activity for at least 90 days?

✅ YES → Proceed to Q5

❌ NO → GAP: Enable logging on VPN/firewall and forward to a SIEM. Use free Wazuh if needed (1 week effort).

Remediation:

Set up log forwarding and storage retention policies

Question 5: Are privileged remote sessions (admin access) recorded and reviewed?

✅ YES → COMPLIANT

❌ NO → GAP: Implement session recording for admin access using TermRecord (Linux) or native RDP logging (Windows) within 2 weeks.

Remediation:

Deploy session recording tools and document review process

⚠️ Common Mistakes (What Auditors Flag)

1. Using shared credentials for remote access

Why this happens: Convenience for IT staff managing multiple systems

How to avoid: Enforce individual accounts with MFA - no exceptions

2. Leaving RDP/SSH ports exposed to the internet

Why this happens: Misconfigured firewalls or 'temporary' exceptions

How to avoid: Always require VPN first, then internal access

3. Not reviewing remote access logs

Why this happens: Lack of staff/time to analyze data

How to avoid: Set up automated alerts for suspicious patterns

4. No process to revoke access promptly

Why this happens: Reliance on manual processes

How to avoid: Integrate HR offboarding with IAM system

5. Documenting policies but not enforcing technically

Why this happens: Policy/implementation disconnect

How to avoid: Validate controls with test remote sessions quarterly

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.1 (Limit system access to authorized users) AC.L2-3.1.5 (Employ least privilege for remote access) IA.L2-3.5.3 (Multi-factor authentication)