Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
π What This Means
This practice requires that organizations use encryption to secure remote access sessions, ensuring that sensitive data transmitted over these sessions cannot be intercepted or read by unauthorized parties. In plain terms, it means that when employees or contractors connect to your systems from outside the office, the connection must be encrypted to protect the information being accessed or transferred. For example, using a Virtual Private Network (VPN) with strong encryption ensures that even if someone intercepts the data, they cannot read it. Another example is using HTTPS for web-based access, which encrypts the data between the user's browser and the server.
π― Why It Matters
Remote access sessions are a common target for cyber attackers because they often bypass traditional perimeter defenses. Without encryption, sensitive data such as login credentials, emails, or files can be easily intercepted through techniques like man-in-the-middle attacks. A real-world example is the 2017 Equifax breach, where attackers exploited unencrypted web portals to steal sensitive data of 147 million people. The potential impact includes financial losses, regulatory fines, reputational damage, and loss of trust. The DoD emphasizes this control because protecting Controlled Unclassified Information (CUI) during remote access is critical to national security.
β How to Implement
- Enable SSL/TLS for all cloud services (e.g., AWS EC2, Azure Virtual Machines).
- Use VPN or Direct Connect (AWS) / ExpressRoute (Azure) for secure remote access.
- Configure Identity and Access Management (IAM) to enforce Multi-Factor Authentication (MFA).
- Use cloud-native encryption tools like AWS KMS or Azure Key Vault to manage encryption keys.
- Ensure all remote desktop protocols (RDP, SSH) are configured to use strong encryption (e.g., AES-256).
- Regularly audit and update encryption configurations using cloud monitoring tools.
π Evidence Examples
Remote Access Policy
VPN Configuration Screenshot
SSL/TLS Certificate Details
Access Logs
Penetration Testing Report
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AC.L2-3.1.13 ("Employ cryptographic mechanisms to protect the confidentiality of remote access sessions"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AC.L2-3.1.13 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to employ cryptographic mechanisms to protect the confidentiality of remote access .... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AC.L2-3.1.13 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to employ cryptographic mechanisms to protect the confidentiality of remote access .... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AC.L2-3.1.13 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all access points to CUI systems (VPN, direct network, cloud portals)
- β’ Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
- β’ Map user roles to system access levels
- β’ Ensure this control covers all systems within your defined CUI boundary where employ cryptographic mechanisms to protect the confidentiality of remote access sessions applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Access Control Policy
- π IAM configuration documentation
- π Access request and approval records
- π Evidence artifacts specific to AC.L2-3.1.13
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a documented remote access policy that requires encryption?
Question 2: Are all remote access sessions encrypted using AES-256 or equivalent?
Question 3: Are SSL/TLS certificates up to date and configured for all web-based access?
Question 4: Are access logs regularly reviewed for encrypted sessions?
Question 5: Have you conducted penetration testing to validate encryption effectiveness?
β οΈ Common Mistakes (What Auditors Flag)
1. Using outdated encryption protocols like SSL 3.0 or TLS 1.0.
2. Failing to encrypt all remote access methods (e.g., RDP without VPN).
3. Not renewing SSL/TLS certificates before expiration.
4. Lack of documentation for encryption configurations.
5. Failing to test encryption effectiveness.
π Parent Policy
This practice is governed by the Access Control Policy