Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.12 – Monitor and control remote access sessions.
Understanding the Requirement
This control requires that remote access to your environment is explicitly allowed, limited to identified types and users, actively controlled while connected, and monitored for anomalous or unauthorized use. In practical terms you must define who can connect, how they connect (VPN, remote desktop gateway, etc.), enforce strong authentication and encryption, and collect logs so sessions can be reviewed and terminated if needed. This guidance implements the requirement as stated in NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Technical Implementation
- Standardize on an encrypted, centrally managed VPN: Choose a VPN solution that supports modern cryptography (AES-256, TLS 1.2/1.3) and centralized user/session management. Disable legacy protocols (PPTP, L2TP without IPsec) and require the company VPN client for all remote connections.
- Enforce strong authentication and device authorization: Require multi-factor authentication (MFA) for all remote sessions. Use certificate-based authentication or integrate VPN authentication with your identity provider (SSO/AD) so only authorized user accounts and managed devices can connect. Maintain a device inventory and block unmanaged or unknown endpoints.
- Control session behavior via configuration and firewall rules: Force remote sessions to pass through your perimeter firewall and apply access control lists (ACLs) or segmented VLANs to limit which internal systems are reachable. Disable split-tunneling unless strictly required; if enabled, restrict routes to only necessary subnets.
- Enable detailed logging and centralized collection: Configure VPN and gateway appliances to log session start/stop, username, source IP, device identifier (if available), and bytes transferred. Forward logs to a central syslog, cloud log service, or lightweight SIEM so you can search and retain logs (recommend retention: 90 days minimum, longer for regulated data).
- Detect, alert, and respond to suspicious sessions: Create automated alerts for events such as logins from unusual geolocations, simultaneous logins from different locations for the same user, excessive data transfer, or expired credentials. Define playbooks to terminate sessions and force password resets or device quarantine when alerts fire.
- Apply session controls and timeouts: Configure idle session timeouts (e.g., 10–15 minutes), maximum session durations, and reauthentication for privilege escalation. Use access policies to restrict RDP/SSH exposure and require remote desktop gateway or jump hosts rather than exposing internal systems directly.
Example in a Small or Medium Business
Acme Widgets has 45 employees and a small IT team. They roll out a centrally managed VPN appliance that requires a company-issued laptop, machine certificate, and MFA via an authenticator app. Remote sessions are forced through the corporate firewall, which restricts access to internal servers based on group membership; contractors only get access to the collaboration VLAN, not finance systems. The VPN client and gateway both log user ID, device certificate fingerprint, source IP, and session duration; logs are forwarded to a cloud log service with a 180-day retention configured. The IT admin creates alerts for concurrent logins from geographically distant IPs and for large outbound transfers; when an alert triggers the admin can terminate the specific VPN session and open an incident ticket. Acme documents the remote access procedure in their information security policy, trains staff on secure VPN usage, and requires employees to report lost devices immediately so IT can revoke the device certificate and block VPN access. Quarterly reviews of VPN logs and an annual policy review ensure roles and allowed access types remain up to date.
Summary
Meeting AC.L2-3.1.12 combines policy and technical controls: a clear remote access policy defines who and how connections are allowed, configuration hardening enforces encryption and authentication, network controls limit what can be reached, and logging plus alerting provide the monitoring needed to detect and stop misuse. For SMBs, using a modern VPN, enforcing MFA and managed devices, centralizing logs, and configuring session controls gives practical, cost-effective coverage that satisfies the control and reduces remote access risk.
