AC.L2-3.1.13 · NIST SP 800-171 3.1.13

Remote Access Confidentiality

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

5 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.13 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.cryptographic mechanisms to protect the confidentiality of remote access sessions are identified
  • b.cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.13, an assessor uses these:

Examine

Access control policy; procedures addressing remote access to the system; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; system developers

Test

Cryptographic mechanisms protecting remote access sessions

What it means, in context

Cryptographic standards include FIPS -validated cryptography and NSA- approved cryptography.

A remote access session involves logging into the organization’s systems such as its internal network or a cloud service provider from a remote location such as home or an alternate work site . Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Although not explicitly required to meet AC.L2 -3.1.13 requirements, this remote access session must be secured using FIPS -validated cryptography to provide confidentiality and prevent anyone from deciphering session information exchanges. This requirement, AC.L2-3.1.13, requires the use of cryptographic mechanisms when enabling remote sessions and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): • AC.L2-3.1.12 requires the control of remote access sessions. • AC.L2-3.1.14 limits remote access to specific access control points. • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session. • IA.L2-3.5.3 requires multifactor authentication for network access to non-privileged accounts. • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions. Example You are responsible for implementing a remote network access capability for users who access CUI remotely. In order to provide session confidentiality, you decide to implement a VPN mechanism and select a product that has completed FIPS 140 validation [a,b]. Potential Assessment Considerations • Are cryptographic mechanisms used for remote access sessions (e.g., Transport L ayer Security ( TLS) and Internet Protocol Security ( IPSec) using FIPS -validated encryption algorithms) defined and implemented [a ,b]? Note that simply using an approved algorithm is not sufficient – the module (software and/or hardware) used to implement the algorithm must be separately validated under FIPS 140.

What passing evidence looks like

A note naming the cryptography protecting each remote path (TLS 1.2+ for cloud, the VPN cipher suite) and a configuration screenshot for each.

Common ways contractors fail AC.L2-3.1.13

  • !For the confidentiality of the session this requirement wants cryptographic mechanisms IDENTIFIED and IMPLEMENTED. FIPS validation specifically matters at SC.L2-3.13.11; here, name the mechanism and show it is on.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.13, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.13 questions, answered

How many points is CMMC requirement AC.L2-3.1.13 worth?+

AC.L2-3.1.13 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AC.L2-3.1.13 be placed on a POA&M?+

No. AC.L2-3.1.13 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AC.L2-3.1.13 belong to?+

AC.L2-3.1.13 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.13