Access Control 3.1.13 (3.1.13)

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to use encryption to protect remote access sessions, ensuring that data transmitted during remote connections cannot be intercepted or read by unauthorized parties. This applies to any connection where users access organizational systems from outside the physical security boundary, such as VPN connections, remote desktop sessions, or web-based access to internal systems.

Control Intent

To prevent unauthorized disclosure of CUI during remote access sessions by ensuring all data transmitted between remote users and organizational systems is encrypted using cryptographically strong mechanisms.

Who This Control Applies To

  • All systems that allow remote access to CUI or systems processing CUI
  • VPN concentrators and remote access gateways
  • Remote desktop services and terminal servers
  • Web applications accessed remotely that handle CUI
  • Cloud-based services accessed over the internet
  • Administrative access to network devices and servers from remote locations
  • Third-party and contractor remote access connections
  • Mobile device access to organizational resources

Not Applicable When

  • Access occurs entirely within the physical security boundary of the organization
  • Systems do not process, store, or transmit CUI
  • Remote access is completely prohibited by organizational policy and technically enforced
  • Systems are air-gapped with no network connectivity

Key Objectives

  • 1Ensure all remote access sessions are encrypted using FIPS-validated or NSA-approved cryptographic mechanisms
  • 2Prevent interception and unauthorized disclosure of CUI transmitted during remote access sessions
  • 3Maintain confidentiality of authentication credentials and session data during remote connections

Sample Self-Assessment Questions (Partial)

Do you allow employees, contractors, or administrators to access your systems remotely from outside your office?

What methods do you use for remote access (VPN, remote desktop, web portal, cloud applications)?

Implementation Approaches (High-Level)

FIPS-Validated VPN Solution

Deploy a VPN concentrator or gateway that uses FIPS 140-2 validated cryptographic modules to encrypt all remote access traffic before it enters the organizational network.

Remote Desktop Gateway with TLS Encryption

Implement Microsoft Remote Desktop Gateway or equivalent solution that wraps remote desktop sessions in FIPS-validated TLS encryption.

FIPS-Compliant Web Application Access

Configure web applications and portals to use FIPS-validated TLS encryption for all remote access sessions, with proper certificate validation and strong cipher suites.

SSH with FIPS-Approved Algorithms

Configure SSH servers and clients to use only FIPS 140-2 approved cryptographic algorithms for remote administrative access to Linux/Unix systems and network devices.

Cloud Access Security Broker (CASB) with Encryption Enforcement

Deploy a CASB solution to enforce encryption requirements for remote access to cloud-based applications and services, ensuring FIPS-compliant encryption is used.

Zero Trust Network Access (ZTNA) with FIPS Encryption

Implement a Zero Trust Network Access solution that enforces FIPS-validated encryption for all remote access sessions while providing granular access controls and continuous verification.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If remote access exists but does not use FIPS-validated encryption, this is a significant finding requiring immediate remediation Prioritize remediation based on: 1) Systems with CUI accessible remotely, 2) Administrative remote access, 3) Third-party remote access Short-term compensating controls: Disable remote access until FIPS-compliant solution is implemented, restrict remote access to specific IP addresses with additional monitoring, require physical presence for CUI access Remediation steps: 1) Inventory all remote access methods, 2) Verify FIPS validation of current solutions, 3) Configure FIPS mode and disable weak protocols, 4) Test encryption enforcement, 5) Document and validate configuration Common POA&M milestones: 30 days - Complete remote access inventory and gap analysis, 60 days - Procure and deploy FIPS-validated solution, 90 days - Complete configuration and testing, 120 days - Full implementation and validation Budget considerations: FIPS-validated VPN solutions, potential hardware upgrades for encryption performance, licensing for enterprise remote access solutions, consulting for implementation and validation If legacy systems cannot support FIPS encryption, consider: Network segmentation to eliminate remote access requirement, replacement or upgrade of legacy systems, alternative access methods (physical access only), formal risk acceptance with compensating controls Document all remote access methods including shadow IT, personal VPN usage, or undocumented remote access capabilities Ensure POA&M addresses not just technology deployment but also configuration validation, user training, and ongoing monitoring

Related CMMC Controls

3.1.123.1.183.1.193.1.203.5.13.5.23.5.33.13.13.13.83.13.113.14.6

Frequently Asked Questions

What does FIPS-validated cryptography mean for remote access?

FIPS-validated cryptography means the cryptographic modules used for encryption have been tested and certified by NIST under the FIPS 140-2 standard. For remote access, this requires using VPN solutions, TLS implementations, or other encryption technologies that have valid FIPS 140-2 certificates and are configured to operate in FIPS mode. Simply using strong encryption algorithms is not sufficient - the implementation must be formally validated.

Can we use a commercial VPN service for remote access to meet this control?

Most commercial VPN services do not use FIPS-validated cryptography and cannot be configured to meet this requirement. Organizations must deploy enterprise VPN solutions that have FIPS 140-2 validation certificates and can be configured to operate in FIPS mode. Additionally, the organization must control and configure the VPN solution to ensure proper encryption enforcement.

Does this control apply to employees working from home on their home network?

Yes, this control applies to any remote access session where users connect from outside the organization's physical security boundary, including home networks, coffee shops, hotels, or any other remote location. All such connections must use FIPS-validated encryption regardless of the perceived security of the remote location.

What happens if we discover an unencrypted remote access method during assessment?

Any unencrypted remote access method that could be used to access CUI or systems processing CUI is a significant finding that will likely result in control failure. The assessor will require immediate remediation, which typically means disabling the unencrypted access method until FIPS-compliant encryption can be implemented. This may result in a POA&M with aggressive timelines.

Do we need FIPS-validated encryption for remote access to systems that don't contain CUI?

The control applies to remote access sessions that could access CUI or systems in the CUI environment. If a system is completely outside the CMMC scope and has no connection to CUI systems, this control may not apply. However, organizations must carefully document scope boundaries and ensure remote access to out-of-scope systems cannot be used as a pivot point to access CUI.

Is TLS 1.2 or TLS 1.3 sufficient to meet this control?

TLS 1.2 or 1.3 protocols alone are not sufficient. The TLS implementation must use a FIPS 140-2 validated cryptographic module, be configured with FIPS-approved cipher suites, and operate in FIPS mode. Many TLS implementations support FIPS compliance but require specific configuration. Organizations must verify FIPS validation and proper configuration, not just the protocol version.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.