How to Meet AC.L2-3.1.14

Requirement

AC.L2-3.1.14 – Route remote access via managed access control points.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires that all remote access into your environment be funneled through managed access control points—typically firewalls, VPN concentrators, or secure gateways—so you can centrally enforce security, monitor activity, and reduce the chance of data exposure. In practice, that means identifying and implementing the access control points you manage, and ensuring every remote connection (users, admins, vendors) is routed through them rather than directly to internal systems. Doing so increases visibility and control over remote connections and helps protect sensitive information.

Policies and Procedures Needed

Document a Remote Access Policy that defines who may connect remotely, which methods are approved (e.g., VPN, secure gateway), and that all remote sessions must traverse managed access control points. Include procedures for onboarding/offboarding remote users and vendors, device authorization (corporate vs. BYOD), admin access via jump hosts, configuration/change management for firewalls and VPNs, periodic access reviews, logging and retention standards, and incident response steps for suspicious remote activity. Require multi-factor authentication and prohibit direct Internet exposure of management interfaces (e.g., RDP/SSH) to internal assets.

Technical Implementation

• Inventory and consolidate remote entry points. Identify all ways users and third parties access your network (VPNs, remote desktops, cloud management portals). Disable or remove any direct exposures (e.g., Internet-facing RDP/SSH) and require all remote access to go through your managed firewall/VPN or secure access gateway.
• Deploy a centralized VPN concentrator behind a next-generation firewall. Require MFA for all remote users and admins, enforce strong ciphers, and disable split tunneling for access to sensitive resources. Use network policies to restrict remote users to only the subnets/apps they need (least privilege).
• Use an RDP/SSH gateway or bastion jump host for administrative access. Block direct admin protocols from the Internet; instead, require VPN into a management VLAN, then jump to target systems. Log and session-record privileged access where feasible.
• Harden and monitor the access control points. Limit admin management to specific IPs, enable detailed VPN/gateway logging, forward logs to a centralized SIEM, and configure alerts for anomalies (e.g., repeated failures, logins from unusual geographies, off-hours admin access).
• Control third-party and vendor remote access. Issue time-bound accounts, restrict to needed systems/ports, require MFA, and route sessions through your gateway with full logging. Use just-in-time access approvals for elevated changes.
• Test and maintain. Perform quarterly reviews of firewall and VPN rules, remove stale accounts, validate logging and alerting, and run external scans to confirm no unintended remote services are exposed. Document configurations and keep backups of firewall/VPN settings.

Example in a Small or Medium Business

A 120-employee engineering firm discovers through an external scan that a branch server has RDP exposed to the Internet and several contractors connect via ad hoc tools. The IT manager standardizes on a single VPN concentrator at headquarters behind the firewall and disables all direct remote services at branch sites. All employees and contractors must now use the corporate VPN with MFA, and remote admin tasks happen only through a hardened RDP gateway on a management VLAN. The firewall enforces policies that limit VPN users to specific application subnets; contractors can only reach a file share and ticketing system, and only during business hours. Logs from the VPN and gateway feed into a centralized log system with alerts for failed logins and access from new countries. During the first month, an alert flags repeated failed logins for a former contractor; the account is promptly disabled, and the access review procedure is updated to ensure contractor accounts are closed on project completion.

Summary

Meeting AC.L2-3.1.14 is about centralizing and controlling every remote connection through managed access control points you configure, monitor, and trust. A clear remote access policy, disciplined onboarding/offboarding, and change control set expectations, while a consolidated VPN or secure gateway with MFA, least-privilege network rules, hardened admin paths, and robust logging delivers the technical enforcement. Together, these measures provide visibility, reduce attack surface, and ensure remote access adheres to your security standards.