Skip to main content
NetStable
Level 2 AC.L2-3.1.15

Authorize remote execution of privileged commands and remote access to security-relevant information

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control requires organizations to formally approve and document who can remotely execute high-level (privileged) commands or access sensitive security information from outside the network. Think of it like needing a signed permission slip before letting someone remotely control critical systems or view security logs. For example, an IT admin might need approval to reset passwords remotely, or a security analyst might require authorization to pull firewall logs from home. The goal is to prevent unauthorized changes or data leaks by ensuring only trusted personnel can perform these sensitive actions remotely.

🎯 Why It Matters

Uncontrolled remote privileged access is a top attack vector for data breaches. Attackers often exploit poorly managed remote access to escalate privileges and steal data. For example, the 2020 SolarWinds breach involved attackers gaining remote access to privileged accounts. The DoD specifically requires this control because CUI (Controlled Unclassified Information) must be protected from unauthorized remote access. A single compromised privileged account can cost organizations $4.5M on average (IBM Cost of a Data Breach 2023). This control mitigates insider threats and external attacks by ensuring accountability for sensitive remote actions.

How to Implement

  1. 1. In AWS/Azure/GCP, create IAM policies that explicitly list which roles/users can perform privileged actions remotely (e.g., 'ec2:StopInstances' in AWS)
  2. 2. Enable Just-In-Time (JIT) access for privileged roles using tools like Azure PIM or AWS IAM Access Analyzer
  3. 3. Configure Conditional Access policies (Azure) or IAM Conditions (GCP) to require MFA and device compliance checks for remote privileged access
  4. 4. Use CloudTrail (AWS), Azure Activity Logs, or GCP Audit Logs to monitor all remote privileged commands
  5. 5. Document approval process for remote privileged access in your cloud security policy
⏱️
Estimated Effort
2-3 days for basic implementation (mid-level IT skills), plus ongoing policy maintenance (2-4 hours/month)

📋 Evidence Examples

Remote Privileged Access Policy

Format: PDF/DOCX
Frequency: Annual review or when changes occur
Contents: Approval workflow, list of authorized roles, acceptable use guidelines
Collection: Export from document management system

Approved Access Request Forms

Format: PDF/CSV
Frequency: Per request
Contents: Requester name, approver, date, justification, duration
Collection: Screenshot from ticketing system (e.g., ServiceNow)

IAM Role Configuration Screenshot

Format: PNG
Frequency: When policies change
Contents: AWS IAM console showing 'AllowRemotePrivCommands' policy attached to specific roles
Collection: Screen capture with timestamp

Privileged Session Logs

Format: CSV/LOG
Frequency: Monthly
Contents: Timestamp, user, command executed, source IP
Collection: Export from PAM solution or SIEM

MFA Configuration Screenshot

Format: PNG
Frequency: When policies change
Contents: Azure Conditional Access policy requiring MFA for remote admin access
Collection: Screen capture with date visible

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.15 ("Authorize remote execution of privileged commands and remote access to security-relevant information"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.15 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to authorize remote execution of privileged commands and remote access to security-.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.15 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to authorize remote execution of privileged commands and remote access to security-.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.15 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where authorize remote execution of privileged commands and remote access to security-relevant information applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.15
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we have a documented policy that defines who can remotely execute privileged commands?

✅ YES → Proceed to Q2
❌ NO → GAP: Create a Remote Access Privilege Policy template within 2 weeks
Remediation:
Use NIST SP 800-171 template as starting point

Question 2: Are all remote privileged access attempts logged with user, action, and timestamp?

✅ YES → Proceed to Q3
❌ NO → GAP: Enable logging in your PAM solution or SIEM within 1 week
Remediation:
Configure Splunk/Syslog to capture RDP/SSH sessions

Question 3: Is manager approval required before granting remote privileged access?

✅ YES → Proceed to Q4
❌ NO → GAP: Implement approval workflow in your ticketing system within 3 weeks
Remediation:
ServiceNow/Jira workflows with approval steps

Question 4: Are privileged remote sessions automatically terminated after 30 minutes of inactivity?

✅ YES → Proceed to Q5
❌ NO → GAP: Configure session timeouts in Group Policy/PAM solution within 1 week
Remediation:
Set 'MaxConnectionTime' in RDP/GPO settings

Question 5: Do we review remote privileged access logs quarterly?

✅ YES → COMPLIANT
❌ NO → GAP: Schedule quarterly log reviews starting next month
Remediation:
Create calendar reminder with assigned reviewer

⚠️ Common Mistakes (What Auditors Flag)

1. Using shared admin accounts for remote access

Why this happens: Convenience over security
How to avoid: Enforce individual accounts with MFA

2. Missing documentation of approval for specific individuals

Why this happens: Verbal approvals not recorded
How to avoid: Require digital approval forms for every request

3. Not logging the actual commands executed remotely

Why this happens: Basic logs only show login/logout
How to avoid: Implement session recording in PAM tools

4. Allowing permanent remote privileged access

Why this happens: Set-and-forget mentality
How to avoid: Use time-bound access (e.g., 4-hour JIT windows)

5. No separation between approval and execution roles

Why this happens: Small team constraints
How to avoid: At least have requester ≠ approver ≠ executor

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.5 (Separation of duties) AC.L2-3.1.6 (Least privilege) AC.L2-3.1.7 (Remote access controls) AU.L2-3.3.1 (Audit log generation)
Previous
AC.L2-3.1.14
Back to AC
Next
AC.L2-3.1.16