>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.1.12Access Control - Derived

Derived Requirement

>Control Description

Monitor and control remote access sessions.

>Discussion

Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections.

The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). [SP 800-46], [SP 800-77], and [SP 800-113] provide guidance on secure remote access and virtual private networks.

>Cross-Framework Mappings

CMMC

AC.L2-3.1.12
Compare

SCF

NET-14
Compare
NET-14.1
Compare
NET-14.5
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policy requires session termination upon user-initiated logout?
  • How do you ensure users understand logout procedures?
  • What governance addresses session management across federated systems?
  • Who reviews and approves session termination mechanisms?
  • What training covers proper logout procedures?

Technical Implementation:

  • How do you ensure sessions fully terminate on logout?
  • What mechanisms clear session tokens and cookies on logout?
  • How are federated SSO sessions terminated globally?
  • What controls prevent session hijacking after logout?
  • How do you handle logout across multiple integrated applications?

Evidence & Documentation:

  • Can you demonstrate complete session termination on logout?
  • What logs show session end events matching logout actions?
  • Can you provide evidence that tokens are invalidated on logout?
  • What testing results prove sessions cannot be reused after logout?
  • What audit trails track user logout events?

Ask AI

Configure your API key to use AI features.