Skip to main content
NetStable
Level 2 SC.L2-3.13.7

Prevent remote devices from simultaneously establishing connections with organizational systems

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice ensures that remote devices, like laptops or smartphones, cannot connect to your organization's systems from multiple locations at the same time. Think of it as ensuring that a single key can't open multiple doors simultaneously. This control helps prevent unauthorized access or misuse of your systems by ensuring that each remote device maintains a single, secure connection. For example, if an employee logs in from their laptop in the office, they shouldn’t also be able to access the same system from their home computer at the same time. This reduces the risk of someone exploiting multiple connections to gain unauthorized access or disrupt operations.

🎯 Why It Matters

Allowing simultaneous connections from remote devices introduces significant security risks. For instance, if an attacker gains access to a remote device, they could use it to establish multiple connections, potentially spreading malware or stealing sensitive data. A notable example is the 2017 Equifax breach, where attackers exploited remote access vulnerabilities to steal data from millions of users. Simultaneous connections can also lead to resource exhaustion, slowing down or crashing systems. From a DoD/CMMC perspective, this control is critical for protecting Controlled Unclassified Information (CUI) and ensuring that defense contractors maintain secure remote access practices. Failure to implement this control could result in data breaches, financial losses, and damage to your organization's reputation.

How to Implement

  1. 1. Configure your cloud identity provider (e.g., Azure AD, AWS IAM) to enforce single-session policies for remote users.
  2. 2. Use Conditional Access policies in Azure AD to restrict simultaneous logins from multiple devices.
  3. 3. Implement session timeout and reauthentication requirements in your cloud applications.
  4. 4. Enable logging and monitoring in your cloud environment to detect and block simultaneous connections.
  5. 5. Utilize cloud-native tools like AWS Session Manager or Azure Bastion to manage remote access securely.
⏱️
Estimated Effort
Implementation typically takes 10-20 hours, depending on the complexity of your environment. This task requires intermediate-level IT skills.

📋 Evidence Examples

Remote Access Policy

Format: PDF/DOCX
Frequency: Annually or when updated.
Contents: Policy outlining rules for single-session remote access, including enforcement mechanisms.
Collection: Export from your document management system.

VPN Configuration Screenshots

Format: PNG/JPG
Frequency: After initial setup and after changes.
Contents: Screenshots showing session limits and single-session enforcement settings.
Collection: Capture from VPN management console.

Remote Access Logs

Format: CSV/TXT
Frequency: Monthly.
Contents: Logs showing single-session enforcement and blocked simultaneous connection attempts.
Collection: Export from VPN or authentication server.

Training Records

Format: PDF/XLSX
Frequency: Annually.
Contents: Records of employee training on remote access policies.
Collection: Export from LMS or HR system.

Testing Results

Format: PDF/DOCX
Frequency: After initial setup and after changes.
Contents: Documentation of tests verifying single-session enforcement.
Collection: Record results in a test report.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SC.L2-3.13.7 ("Prevent remote devices from simultaneously establishing connections with organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SC.L2-3.13.7 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to prevent remote devices from simultaneously establishing connections with organiz.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SC.L2-3.13.7 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to prevent remote devices from simultaneously establishing connections with organiz.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SC.L2-3.13.7 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Document network architecture with CUI boundary clearly marked
  • Identify all encryption mechanisms (at rest and in transit)
  • Specify network monitoring and IDS/IPS deployment
  • Ensure this control covers all systems within your defined CUI boundary where prevent remote devices from simultaneously establishing connections with organizational systems applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 System and Communications Protection Policy
  • 📄 Network architecture diagram
  • 📄 Firewall rule documentation
  • 📄 Encryption configuration documentation
  • 📄 Evidence artifacts specific to SC.L2-3.13.7
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a policy that explicitly prohibits simultaneous remote connections?

✅ YES → Proceed to Q2.
❌ NO → GAP: Create or update your remote access policy to include single-session enforcement. Timeline: 1 week.
Remediation:
Draft a policy using templates from NIST SP 800-53 or CMMC guidelines.

Question 2: Does your VPN or remote access solution enforce single-session connections?

✅ YES → Proceed to Q3.
❌ NO → GAP: Configure your VPN or remote access solution to enforce single-session limits. Timeline: 2 weeks.
Remediation:
Refer to your VPN vendor's documentation for setup instructions.

Question 3: Are logs maintained to track and block simultaneous connection attempts?

✅ YES → Proceed to Q4.
❌ NO → GAP: Enable logging in your VPN or authentication server. Timeline: 1 week.
Remediation:
Use tools like Splunk or ELK Stack to centralize and monitor logs.

Question 4: Have employees been trained on remote access policies?

✅ YES → Proceed to Q5.
❌ NO → GAP: Conduct training sessions on remote access policies. Timeline: 1 month.
Remediation:
Use LMS platforms like Moodle or Docebo for training.

Question 5: Have you tested your single-session enforcement controls?

✅ YES → Compliance confirmed.
❌ NO → GAP: Perform testing and document results. Timeline: 1 week.
Remediation:
Use tools like Nessus or OpenVAS for vulnerability testing.

⚠️ Common Mistakes (What Auditors Flag)

1. No explicit policy for single-session enforcement.

Why this happens: Organizations assume technical controls are sufficient without policy backing.
How to avoid: Develop and enforce a formal remote access policy.

2. VPN allows multiple sessions by default.

Why this happens: Default configurations often prioritize convenience over security.
How to avoid: Review and adjust VPN settings to enforce single-session limits.

3. Logs are not enabled or monitored.

Why this happens: Logging is seen as optional or too resource-intensive.
How to avoid: Enable logging and use SIEM tools for monitoring.

4. Employees are unaware of remote access policies.

Why this happens: Lack of training or communication.
How to avoid: Conduct regular training sessions and distribute policy updates.

5. Testing is not performed regularly.

Why this happens: Testing is overlooked or deemed unnecessary.
How to avoid: Schedule periodic tests and document results.

📚 Parent Policy

This practice is governed by the System and Communications Protection Policy

View SC Policy →

📚 Related Controls

SC.L2-3.13.1 (Boundary Protection) SC.L2-3.13.2 (Remote Access Controls) SC.L2-3.13.5 (Session Authenticity)
Previous
SC.L2-3.13.6
Back to SC
Next
SC.L2-3.13.8