Access Control 3.1.15 (3.1.15)

Authorize remote execution of privileged commands and remote access to security-relevant information.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to implement authorization mechanisms before allowing users to remotely execute privileged commands or access security-relevant information. Remote access to administrative functions, security settings, or sensitive system data must be explicitly authorized and controlled to prevent unauthorized individuals from executing commands that could compromise system security or integrity.

Control Intent

Prevent unauthorized remote execution of privileged commands and unauthorized remote access to security-relevant information that could compromise system security, bypass security controls, or cause catastrophic damage to organizational systems.

Who This Control Applies To

  • Systems that allow remote access to administrative functions
  • Systems that permit remote execution of privileged commands
  • Systems containing security-relevant information accessible remotely
  • Jump servers and privileged access workstations
  • Remote administration tools and platforms
  • Cloud management consoles and APIs
  • Systems with remote PowerShell, SSH, or similar capabilities
  • Remote desktop services with administrative access
  • Systems where remote users can modify security configurations
  • Network devices managed remotely

Not Applicable When

  • Systems with no remote access capabilities whatsoever
  • Standalone systems with no network connectivity
  • Systems that only allow remote access to non-privileged functions and non-security-relevant information
  • Air-gapped systems with physical access only

Key Objectives

  • 1Ensure that remote execution of privileged commands requires explicit authorization before execution
  • 2Ensure that remote access to security-relevant information requires explicit authorization before access is granted
  • 3Prevent unauthorized individuals from remotely executing commands that control, monitor, or administer system security functions
  • 4Protect the integrity of systems by controlling remote access to functions that could enable bypassing security controls

Sample Self-Assessment Questions (Partial)

Does your organization allow employees or administrators to remotely access systems with administrative or privileged capabilities?

Do you have remote access tools that allow execution of commands with elevated privileges (such as remote PowerShell, SSH with sudo, or remote desktop with admin rights)?

Implementation Approaches (High-Level)

Privileged Access Management (PAM) Solution

Centralized PAM platform that enforces authorization workflows before granting remote privileged access and controls session execution

Jump Server with Authorization Gateway

Dedicated jump server or bastion host that requires explicit authorization before allowing remote privileged access to target systems

Cloud IAM with Conditional Access and Approval Workflows

Cloud-native identity and access management with conditional access policies and approval workflows for privileged operations

Network Access Control with Authorization Integration

Network-level controls that enforce authorization before allowing remote connections to privileged services

Application-Level Authorization for Privileged Functions

Applications and systems enforce authorization checks before allowing execution of privileged commands or access to security-relevant information

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no authorization mechanism exists for remote privileged access, prioritize implementing centralized PAM or jump server solution as high-risk gap If authorization exists but is not technically enforced, document compensating controls (enhanced monitoring, frequent access reviews) and plan for technical enforcement If authorization is inconsistent across systems, prioritize systems with highest CUI exposure or greatest privileged access risk If emergency access bypasses authorization, implement compensating controls (enhanced logging, immediate review, time-limited credentials) and plan for emergency authorization workflow If third-party remote access lacks authorization controls, implement immediate compensating controls and plan for integration with authorization system Acceptable interim controls: Enhanced logging and real-time monitoring of remote privileged access, frequent access reviews, time-limited privileged credentials, restricted remote access to specific IP ranges with enhanced monitoring POA&M should specify which systems or access paths lack authorization controls and prioritize based on CUI exposure and privilege level Consider phased implementation starting with highest-risk systems (production, CUI-containing, internet-facing) Ensure POA&M addresses both technical controls and procedural controls (approval workflows, access reviews)

Related CMMC Controls

3.1.13.1.23.1.53.1.113.1.123.3.13.3.23.5.33.13.11

Frequently Asked Questions

What is the difference between authentication and authorization in the context of this control?

Authentication verifies who you are (username/password, MFA), while authorization determines what you are allowed to do. This control requires authorization beyond authentication - even after a user successfully authenticates remotely, they must receive explicit authorization before executing privileged commands. Multi-factor authentication alone does not satisfy this control.

Does this control require approval for every single privileged command executed remotely?

Not necessarily for every individual command, but authorization must be verified before privileged access is granted. This can be implemented as session-level authorization (approval required before starting a privileged remote session), time-based authorization (access granted for approved maintenance window), or ticket-based authorization (access tied to approved change request). The key is that authorization is explicit and verified, not automatic based on role alone.

How do we define what constitutes a 'privileged command' or 'security-relevant information' in our environment?

Privileged commands are those that control, monitor, or administer system security functions - such as creating users, changing security configurations, accessing audit logs, or modifying access controls. Security-relevant information includes anything that could impact security functions or enable bypassing security controls - such as security configurations, encryption keys, audit logs, or system architecture details. Organizations should document their definitions based on their specific systems and risk assessment.

Can we use role-based access control (RBAC) to satisfy this control's authorization requirement?

RBAC alone is typically insufficient because it authorizes based on role assignment, which is usually a standing authorization. This control requires verification of authorization before each privileged remote access session or operation. RBAC can be part of the solution if combined with session-specific authorization mechanisms such as approval workflows, just-in-time access provisioning, or time-limited privilege elevation.

What should we do about emergency or break-glass remote privileged access that cannot wait for approval?

Emergency access should still have authorization controls, but they can be different from normal access. Acceptable approaches include: pre-authorized emergency access with enhanced monitoring and immediate post-access review, automated authorization based on specific emergency conditions with real-time alerting, or time-limited emergency credentials that are automatically revoked and reviewed. The key is that emergency access is logged, monitored, and reviewed to ensure it was legitimately used.

Does this control apply to service accounts or automated processes that execute privileged commands remotely?

Yes, this control applies to any remote execution of privileged commands, including automated processes. Service accounts and automation should have documented authorization for their privileged remote access, typically through approved configuration management, defined in security architecture, and subject to regular review. The authorization may be standing but must be explicit, documented, and periodically validated rather than implicit or uncontrolled.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.