NIST SP 800-171 Control 3.1.13: Remote Access Cryptography
Control 3.1.13 requires you to deploy cryptographic mechanisms that shield remote access sessions from eavesdropping and interception. For SMBs managing CUI or federal contractor requirements, this control is essential to prevent unauthorized access to sensitive data transmitted over networks.
What this means
This control mandates the use of encryption technologies to protect the confidentiality of all remote access communications. Whether employees connect via VPN, SSH, RDP, or other remote protocols, cryptographic protections must be in place to ensure that session data—including credentials, commands, and transmitted information—remains encrypted and unreadable to unauthorized parties. The control focuses on preventing data exposure during transit across untrusted networks.
How to comply
- 1.Implement TLS/SSL encryption for all web-based remote access portals and applications
- 2.Deploy VPN solutions with strong encryption protocols (e.g., IPsec, WireGuard) for remote workforce access
- 3.Configure SSH with key-based authentication and disable unencrypted protocols like Telnet
- 4.Enable encryption for RDP connections using TLS or equivalent cryptographic standards
- 5.Establish a certificate management process to maintain valid, non-expired encryption certificates
- 6.Define and enforce cryptographic algorithm standards (minimum 128-bit symmetric encryption)
- 7.Monitor remote access logs to detect and respond to unencrypted or failed encryption attempts
- 8.Conduct annual reviews of cryptographic implementations to ensure alignment with current standards
Evidence auditors look for
- VPN configuration documentation showing active TLS/IPsec encryption settings
- SSH server configuration files with encryption algorithms and key exchange policies enabled
- RDP security policy settings documenting encryption protocol requirements
- Certificate inventory and renewal schedule for all remote access endpoints
- Network traffic captures or firewall logs showing encrypted (HTTPS, encrypted SSH) remote sessions
- Cryptographic algorithm standards document defining minimum key lengths and approved ciphers
- Vulnerability scan reports confirming no unencrypted remote access protocols are active
- Access logs showing successful encrypted connections and rejected unencrypted attempts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates remote access encryption verification by scanning your VPN, RDP, and SSH configurations against NIST standards, flagging weak ciphers and unencrypted protocols in real-time—eliminating manual audits for this control.
See how GRCWatch handles this control automatically
Start free trial