Control: The organisation:
B. Authorises remote access to the information system prior to allowing such connections.
Supplemental Guidance:
Remote access is access to organisational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organisations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organisation that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organisational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorisation prior to allowing remote access without specifying the formats for such authorisation. While organisations may use interconnection security agreements to authorise remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.
Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.
Remote Access Control Enhancements:
AC-17 (1) Remote Access - Automated monitoring / control
The information system monitors and controls remote access methods.
AC-17 (2) Remote Access - Protection of confidentiality / Integrity using encryption
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
AC-17 (3) Remote Access - Managed access control points
The information system routes all remote accesses through [Assignment: organisation-defined
number] managed network access control points.
AC-17 (4) Remote Access - Privileged commands / access
The organisation:
(a) Authorises the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organisation-defined needs]; and
(b) Documents the rationale for such access in the security plan for the information system.
Supplemental Guidance: Related control: AC-6.
AC-17 (5) Remote Access - Monitoring for unauthorised connections
[Withdrawn: Incorporated into SI-4].
AC-17 (7) Remote Access - Additional protection for security function access
[Withdrawn: Incorporated into AC-3 (10)].
AC-17 (8) Remote Access - Disable nonsecure network protocols
[Withdrawn: Incorporated into CM-7].
AC-17 (9) Remote Access - Disconnect / Disable access
The organisation provides the capability to expeditiously disconnect or disable remote access to
the information system within [Assignment: organisation-defined time period].
Supplemental Guidance: This control enhancement requires organisations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organisational information systems.