GRCWatch
Sign inStart free trial

AC.L2-3.1.14: Remote Access Routing

Remote access creates a critical security gap if not properly controlled. AC.L2-3.1.14 requires organizations to route all remote access through managed access control points—preventing attackers from bypassing security controls. This control ensures visibility and enforcement of security policies for every remote user accessing your network.

What this means

Remote Access Routing mandates that all remote connections be funneled through centralized, managed access control points rather than allowing direct connections to internal systems. This architecture ensures that every remote access attempt passes through security inspection, authentication, and authorization checks before reaching protected resources. Managed access control points serve as gatekeepers, applying consistent security policies and logging all remote activity for audit purposes.

How to comply

  1. 1.Deploy a centralized remote access solution (VPN, bastion host, or zero-trust gateway) as the single entry point for all remote connections
  2. 2.Configure network architecture to block direct remote connections to internal systems, forcing all traffic through the managed access control point
  3. 3.Implement multi-factor authentication (MFA) at the access control point to verify remote user identity
  4. 4.Enable logging and monitoring of all remote access sessions, including connection source, destination, duration, and activity
  5. 5.Establish and enforce access policies at the control point that specify which remote users can access which systems
  6. 6.Regularly audit remote access logs to identify suspicious patterns or unauthorized connection attempts
  7. 7.Test the access control point to ensure it cannot be bypassed or circumvented by remote users

Evidence auditors look for

  • VPN or zero-trust network access solution configured as the single remote access gateway
  • Network firewall rules blocking direct inbound connections to internal systems on remote access ports
  • Remote access solution logs showing all connection attempts, timestamps, user identities, and access results
  • Access control policies documented and applied at the managed access control point
  • MFA configuration screenshots from the remote access platform
  • Audit reports demonstrating review of remote access logs for the past 12 months
  • Network diagrams showing remote access architecture with centralized access control point

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates remote access policy enforcement and audit log collection by integrating with your VPN or zero-trust platform, eliminating manual documentation of AC.L2-3.1.14 compliance evidence.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 — Authorized AccessAC.L2-3.1.2 — User Registration and De-registrationAC.L2-3.1.11 — Access Control for Portable and Mobile DevicesSI.L2-3.13.1 — Denial of Service Protection