Access Control 3.1.14 (3.1.14)

Route remote access via managed access control points.

Get Full Guidance

What Is This CMMC Control?

All remote access to systems containing CUI must be routed through designated, managed access control points rather than allowing direct connections. This ensures the organization maintains visibility and control over who is accessing systems remotely and can enforce security policies consistently.

Control Intent

To establish centralized oversight and enforcement of security policies for remote access by requiring all remote connections to pass through managed access control points, thereby reducing the risk of unauthorized access to CUI.

Who This Control Applies To

  • Organizations with employees, contractors, or partners who access CUI remotely
  • Systems containing CUI that require remote access capabilities
  • Cloud-hosted systems and applications containing CUI
  • Remote desktop services, VPN connections, and remote administration tools
  • Third-party vendor access to systems containing CUI
  • Telecommuting and work-from-home scenarios involving CUI access

Not Applicable When

  • The organization has no remote access to systems containing CUI
  • All CUI access occurs exclusively on-premises with no remote connectivity
  • Systems are completely air-gapped with no network connectivity
  • The organization has formally documented that no remote access is permitted and has technical controls preventing it

Key Objectives

  • 1Ensure all remote access connections are routed through designated, organizationally-managed access control points.
  • 2Prevent direct remote access to systems containing CUI that bypasses organizational security controls.
  • 3Maintain visibility and logging of all remote access attempts and sessions.
  • 4Enable consistent enforcement of authentication, authorization, and security policies for remote access.

Sample Self-Assessment Questions (Partial)

Do any employees, contractors, or vendors access your systems remotely?

What methods do people use to access your systems from outside the office (VPN, remote desktop, web portal, etc.)?

Implementation Approaches (High-Level)

VPN Concentrator with Forced Routing

Deploy a VPN concentrator or gateway that all remote users must connect through, with technical controls preventing split tunneling and direct access.

Zero Trust Network Access (ZTNA) / Software-Defined Perimeter

Implement a ZTNA or SDP solution that acts as a managed access control point, authenticating and authorizing each connection request before granting access to specific resources.

Remote Desktop Gateway / Jump Server

Deploy a hardened Remote Desktop Gateway or jump server that all remote administrative access must pass through, with no direct remote access to target systems permitted.

Cloud Access Security Broker (CASB)

Implement a CASB solution that acts as a managed access control point for cloud services and SaaS applications containing CUI.

Secure Web Gateway with Remote Access

Deploy a secure web gateway that remote users connect through, providing managed access control for web-based applications and services containing CUI.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If direct remote access bypassing managed access control points is currently possible, create POA&M with milestone to implement technical controls preventing direct access If split tunneling is currently allowed, create POA&M to disable split tunneling and enforce all traffic through managed access control points If cloud services containing CUI are accessed without routing through managed access control points, create POA&M to implement CASB or equivalent solution If multiple unmanaged remote access methods exist, create POA&M to consolidate and standardize on managed access control points If monitoring and logging of remote access is insufficient, create POA&M to implement comprehensive logging at managed access control points POA&M should include specific technical milestones such as firewall rule implementation, VPN configuration changes, or deployment of new access control technologies Interim compensating controls might include enhanced monitoring, restricted remote access permissions, or manual review processes until technical controls are implemented POA&M completion criteria should include evidence that all remote access is technically enforced to route through managed access control points

Related CMMC Controls

3.1.123.1.133.1.203.5.13.5.23.5.33.13.13.13.5

Frequently Asked Questions

Does this control require all remote access to go through a VPN?

Not necessarily. While VPN is a common implementation, the control requires routing through managed access control points, which could be VPN, ZTNA, RD Gateway, CASB, or other solutions that provide centralized control and monitoring. The key requirement is that remote access is managed and controlled, not the specific technology used.

How does this control apply to cloud services and SaaS applications?

Cloud services and SaaS applications containing CUI must also be accessed through managed access control points. This might be implemented through CASB, ZTNA, secure web gateway, or identity-aware proxy solutions that provide centralized authentication, authorization, and monitoring of cloud service access.

Can we allow direct remote desktop access to individual computers if users authenticate with MFA?

No. Even with MFA, direct remote desktop access bypasses the managed access control point requirement. All remote access must be routed through designated access control points (such as RD Gateway or VPN) to maintain centralized visibility, control, and consistent policy enforcement.

What if we need emergency remote access when the VPN is down?

Emergency access procedures should still route through a managed access control point, such as a backup VPN concentrator or alternative gateway. If truly no managed access control point is available, emergency direct access should be documented as an exception, require explicit authorization, use compensating controls (enhanced logging, restricted permissions), and be reviewed afterward.

Does this control apply to vendor or third-party remote access?

Yes. All remote access to systems containing CUI must route through managed access control points, including vendor, contractor, and third-party access. Organizations should not allow vendors to use their own remote access tools that bypass organizational controls.

How do we prevent users from using personal VPN services or remote access tools?

Technical controls should prevent unauthorized remote access methods, such as application whitelisting, network monitoring for unauthorized VPN protocols, endpoint detection and response (EDR) tools, and firewall rules blocking direct access. User awareness training should also address the prohibition of unauthorized remote access tools.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.