AC.L2-3.1.14 · NIST SP 800-171 3.1.14

Remote Access Routing

Route remote access via managed access control points.

1 point if not metPOA&M eligible2 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.14 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.managed access control points are identified and implemented
  • b.remote access is routed through managed network access control points

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.14, an assessor uses these:

Examine

Access control policy; procedures addressing re mote access to the system; system security plan; system design documentation; list of all managed network access control points; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities

Test

Mechanisms routing all remote accesses through managed network access control points

What it means, in context

Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.

The OSA can route all remote access through a limited number of remote access control points to reduce the attack surface and simplify network management. This allows for better monitoring and control of the remote connections. This requirement, AC.L2-3.1.14, limits remote access to specific access control points and complements five other requirements dealing with remote access (AC.L2-3.1.12, AC.L2- 3.1.13, AC.L2-3.1.15, IA.L2-3.5.3, and MA.L2-3.7.5): • AC.L2-3.1.12 requires the control of remote access sessions. • AC.L2-3.1.13 requires the use of cryptographic mechanisms when enabling remote sessions. • AC.L2-3.1.15 requires authorization for privileged commands executed during a remote session. • IA.L2-3.5.3 requires multifactor authentication for network access to non- privileged accounts. • Finally, MA.L2-3.7.5 requires the addition of multifactor authentication for remote maintenance sessions. Example You manage systems for a company that processes CUI at multiple locations, and several employees at different locations need to connect to the organization’ s networks while working remotely. Because each company location has a direct connection to headquarters, you decide to route all remote access through the headquarters location [a]. All remote traffic is routed through a single location to simplify monitoring [b]. Potential Assessment Considerations • How many managed access control points are implemented [a]? • Is all remote access routed through the managed access control points [b]?

What passing evidence looks like

A sentence naming your managed access control points (the Entra sign in edge, the VPN concentrator) and firewall or Conditional Access screenshots showing remote traffic has no other way in.

Common ways contractors fail AC.L2-3.1.14

  • !Split paths are the failure: a forgotten port forward to a NAS or an exposed RDP port is an unmanaged access point. Scan your own public IP before the assessor does.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.14, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.14 questions, answered

How many points is CMMC requirement AC.L2-3.1.14 worth?+

AC.L2-3.1.14 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AC.L2-3.1.14 be placed on a POA&M?+

Yes. A gap on AC.L2-3.1.14 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does AC.L2-3.1.14 belong to?+

AC.L2-3.1.14 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.14