Control Remote Access
Monitor and control remote access sessions.
What an assessor scores, the objectives
AC.L2-3.1.12 is met only when every one of these 4 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.remote access sessions are permitted
- b.the types of permitted remote access are identified
- c.remote access sessions are controlled
- d.remote access sessions are monitored
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.12, an assessor uses these:
Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; remote access authorizations; system audit logs and records; other relevant documents or records
Personnel with responsibilities for managing remote access connections; system or network administrators; personnel with information security responsibilities
Remote access management capability for the system
What it means, in context
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the internet). Remote access methods include dial -up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non- remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). NIST SP 800-46, SP 800-77, and SP 800-113 provide guidance on secure remote access and virtual private networks.
Remote access connections pass through untrusted networks and therefore require proper security controls such as encryption to ensure data confidentiality. Initialization of all remote sessions should ensure that only authorized users and devices are connecting. After the remote session is established, the connection is monitored to track who is accessing the network remotely and what files are being accessed during the session. Remote access sessions can encompass more than just remote connections back to a headquarters network. Access to cloud-based email providers or server infrastructures also are relevant to this requirement if those environments contain CUI. This requirement, AC.L2-3.1.12, requires the control of remote access sessions and complements five other requirements dealing with remote access (AC.L2-3.1.14, AC.L2- 3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): • AC.L2-3.1.14 limits remote access to specific access control points. • AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions. • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session. • IA.L2-3.5.3 requires multifactor authentication for network access to non- privileged accounts. • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions. Example You often need to work from remote locations, such as your home or client sites, and you are permitted to access your organization’s internal networks (including a network containing CUI) from those remote locations [a]. A system administrator issues you a company laptop with VPN software installed, which is required to connect to the networks remotely [b]. After the laptop connects to the VPN server, you must accept a privacy notice that states that the company’s security department may monitor the connection. This monitoring is achieved through the analysis of data from sensors on the network notifying IT if issues arise. The security department may also review audit logs to see who is connecting remotely, when, and what information they are accessing [d]. During session establishment, the message “Verifying Compliance” means software like a Device Health Check (DHC) application is checking the remote device to ensure it meets the established requirements to connect [c]. Potential Assessment Considerations • Do policies identify when remote access is permitted and what methods must be used [a,b]? • Are systems configured to permit only approved remote access sessions (e.g., disallow remote access sessions by default) [c]? • Are automated or manual mechanisms employed for monitoring remote connections? If the monitoring is manual, does it occur at a frequency commensurate with the level of risk [d]?
What passing evidence looks like
A remote access section in policy naming permitted types (VPN, cloud portal, vendor support), Conditional Access or VPN configs enforcing it, and a sign in or session log showing monitoring happens.
Common ways contractors fail AC.L2-3.1.12
- !In a cloud tenant, effectively ALL access is remote. Say so in the policy and show Conditional Access as the control, that is a clean answer assessors accept.
- !Vendor remote support (your MSP's tool) is a remote access type. Name it or it becomes an unauthorized session type.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove AC.L2-3.1.12, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
AC.L2-3.1.12 questions, answered
How many points is CMMC requirement AC.L2-3.1.12 worth?+
AC.L2-3.1.12 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can AC.L2-3.1.12 be placed on a POA&M?+
No. AC.L2-3.1.12 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does AC.L2-3.1.12 belong to?+
AC.L2-3.1.12 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.1.12