What Is This CMMC Control?
Organizations must actively monitor and control who connects remotely to their systems, tracking when connections occur, what users do during remote sessions, and ensuring remote access complies with security policies. This includes logging remote access attempts, monitoring active sessions for suspicious activity, and having the ability to terminate unauthorized or suspicious remote connections.
Control Intent
To ensure that remote access to organizational systems is continuously monitored for unauthorized activity, policy violations, and security threats, while maintaining the ability to control and terminate remote sessions when necessary to protect CUI and system integrity.
Who This Control Applies To
- •Any system or network that allows remote access from external networks
- •VPN concentrators and remote access gateways
- •Remote desktop services and terminal servers
- •Cloud-based systems accessed remotely by employees or contractors
- •Jump boxes and bastion hosts used for remote administration
- •Systems accessed via dial-up, broadband, or wireless connections
- •Mobile device management platforms supporting remote access
- •Privileged access management systems for remote administrative access
Not Applicable When
- •The organization has no remote access capabilities whatsoever
- •All access occurs exclusively from physically secured on-premises locations with no external network connectivity
- •Systems are completely air-gapped with no remote access methods available
Key Objectives
- 1Remote access sessions are logged and monitored for unauthorized access attempts and suspicious activity
- 2Organizations maintain visibility into active remote access sessions and user activities
- 3Remote access sessions can be controlled and terminated when policy violations or security threats are detected
- 4Remote access monitoring capabilities detect ongoing compliance with organizational remote access policies
Sample Self-Assessment Questions (Partial)
Do any employees, contractors, or administrators access your systems remotely from outside your physical office?
What methods do people use to connect remotely (VPN, remote desktop, web portal, direct internet access)?
Implementation Approaches (High-Level)
VPN Concentrator with Integrated Logging and Session Management
Enterprise VPN solution with built-in logging, real-time session visibility, and administrative controls to monitor and terminate sessions.
Remote Desktop Gateway with Session Monitoring
Microsoft Remote Desktop Gateway or equivalent solution providing centralized remote access to Windows systems with comprehensive session logging and control.
Privileged Access Management (PAM) Solution
Dedicated PAM platform providing session monitoring, recording, and control for privileged remote access to critical systems.
Cloud Access Security Broker (CASB) for SaaS Remote Access
CASB solution providing visibility and control over remote access to cloud-based applications and services.
Network Access Control (NAC) with Remote Access Monitoring
NAC solution providing visibility and control over remote devices connecting to the network, with session monitoring and enforcement capabilities.
SIEM-Based Remote Access Monitoring
Security Information and Event Management platform aggregating remote access logs from multiple sources for centralized monitoring, correlation, and alerting.
Evidence & Assessment Notes
Expected Evidence
Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.
Plan of Action & Milestones (POA&M)
If remote access exists but no monitoring is in place, this is a significant finding requiring immediate remediation - prioritize implementing basic logging and log review Implement monitoring in phases: start with most critical remote access methods (privileged access, VPN) before expanding to all methods If monitoring tools exist but are not actively used, focus POA&M on establishing regular review processes and assigning responsibilities For organizations with limited resources, consider cloud-based or managed SIEM solutions to reduce implementation complexity If session termination capability does not exist, this may require infrastructure changes - allow sufficient time in POA&M for procurement and implementation Coordinate POA&M with related controls (AU-2, AU-6, SI-4) to avoid duplicative efforts and leverage common solutions For cloud-based remote access, work with service providers to obtain necessary monitoring capabilities or evidence - this may require contract modifications If multiple remote access methods exist with inconsistent monitoring, prioritize standardization on a centralized monitoring approach Consider quick wins: enabling existing logging features, configuring basic alerts, or implementing simple log review processes while working toward comprehensive solution Document interim compensating controls such as more frequent manual reviews or restricted remote access until automated monitoring is fully implemented
Related CMMC Controls
Frequently Asked Questions
Does this control require monitoring of user activities during remote sessions, or just logging connections and disconnections?
The control requires both. 'Monitor and control' implies visibility into active sessions and the ability to detect policy violations or threats during sessions, not just at connection time. While logging connections is necessary, organizations should also monitor for suspicious activities during sessions, such as unusual data access, privilege escalation, or policy violations. The level of session activity monitoring may vary based on risk, with privileged sessions typically requiring more detailed monitoring.
If we use a VPN with strong encryption, do we still need to monitor remote access sessions?
Yes. While VPNs provide confidentiality for data in transit, this control specifically requires monitoring and controlling the sessions themselves. The supplemental guidance acknowledges that encrypted VPNs may allow treating connections as internal networks for some purposes, but monitoring requirements still apply. You must log who connects, when, from where, and have the ability to detect and respond to unauthorized or suspicious remote access regardless of encryption.
What is the difference between monitoring remote access sessions and monitoring the network for malicious code?
These are separate but related activities. This control (AC-12) focuses on monitoring who is accessing systems remotely, ensuring sessions comply with policies, and maintaining the ability to terminate sessions. Network monitoring for malicious code (SI-4, SI-3) focuses on detecting threats in network traffic. The supplemental guidance notes that VPN encryption can make malware detection more difficult, which is why both types of monitoring are important and may require different technical approaches.
How frequently must remote access logs be reviewed to satisfy this control?
The control does not specify a particular frequency, but 'monitor' implies ongoing or regular review, not sporadic or ad-hoc checks. The appropriate frequency depends on your risk profile, volume of remote access, and available resources. Many organizations review logs daily or weekly, with automated alerting for high-risk events enabling real-time response. During assessment, you must demonstrate that reviews occur regularly, are documented, and are sufficient to detect unauthorized access or policy violations in a timeframe appropriate to your risk.
Does this control apply to employees accessing cloud applications like Microsoft 365 from home?
Yes, if those cloud applications are in your CMMC scope and contain CUI. Remote access includes any access from external networks, regardless of whether you own the infrastructure. You must monitor who accesses cloud systems containing CUI, from where, and when. This may require implementing a CASB, using cloud-native monitoring tools, or obtaining monitoring evidence from your cloud service provider. The key is demonstrating visibility and control over remote access to CUI, regardless of where systems are hosted.
Can we satisfy this control by reviewing VPN logs once per month?
Monthly review alone is likely insufficient to satisfy the 'monitor' requirement, which implies more frequent or continuous oversight. While monthly reviews may be part of your process, you should also have real-time or near-real-time alerting for high-risk events (failed authentication attempts, unusual access patterns, privileged access). The combination of automated alerting and regular log review demonstrates active monitoring. An assessor will evaluate whether your monitoring frequency is adequate to detect and respond to threats and policy violations in a reasonable timeframe.
How ConformatIQ Helps With CMMC Readiness
ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.
Ready to Get Full Guidance?
Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.
Request Full GuidanceInformation sourced from NIST SP 800-171 Rev. 2. See full disclaimer.