GRCWatch
Sign inStart free trial

AC.L2-3.1.13: Remote Access Confidentiality

Remote access is a critical vulnerability vector in modern defense supply chains. AC.L2-3.1.13 requires organizations to deploy cryptographic protections that ensure remote sessions remain confidential against eavesdropping and interception. This control is foundational for protecting sensitive data accessed outside your network perimeter.

What this means

This control mandates the use of encryption and cryptographic mechanisms to safeguard the confidentiality of remote access sessions. Any data transmitted during remote access—whether through VPN, remote desktop, or cloud-based tools—must be protected from unauthorized disclosure through industry-standard encryption protocols. The goal is to prevent attackers from capturing or reading session traffic, even if they intercept network communications.

How to comply

  1. 1.Deploy VPN solutions with strong encryption (AES-256 or equivalent) for all remote access connections
  2. 2.Implement TLS 1.2 or higher for encrypted communication channels in remote access tools
  3. 3.Configure remote desktop protocols (RDP) with encryption enabled and disable unencrypted alternatives
  4. 4.Require certificate-based authentication for VPN and remote access platforms
  5. 5.Document all cryptographic mechanisms used and their configuration settings
  6. 6.Establish a process to audit and monitor remote access sessions for encryption compliance
  7. 7.Regularly update and patch remote access tools to maintain cryptographic strength
  8. 8.Test encryption configurations to ensure no data leakage during remote sessions

Evidence auditors look for

  • VPN configuration documentation showing AES-256 encryption settings
  • Remote desktop policy files with encryption requirements enforced
  • TLS certificate inventory with version and expiration tracking
  • Network traffic captures demonstrating encrypted remote sessions
  • Access logs showing encrypted connection protocols in use
  • Cryptographic inventory with approved algorithms and key management procedures
  • Audit reports from vulnerability scans confirming encryption enforcement
  • Change management records for cryptographic mechanism updates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers remote access tools across your infrastructure, validates encryption configurations against CMMC requirements, and flags non-compliant sessions in real-time—eliminating manual audits of VPN and RDP settings.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 (Access Control Policy)AC.L2-3.1.12 (Session Termination)SI.L2-3.14.1 (Information System Monitoring)IA.L2-3.5.1 (Identification and Authentication)