Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Understanding the Requirement
This control requires that remote access (typically VPN connections) is encrypted using approved cryptographic mechanisms so session data remains confidential while traversing untrusted networks. Objectives include identifying which cryptographic mechanisms you will use and implementing them for remote sessions; practical choices are TLS and IPsec, and the supporting VPN appliance must meet FIPS validation. For SMBs following NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, the focus is on selecting FIPS-validated products and configuring strong, current cipher suites to ensure protections are effective.
Technical Implementation
-
Select a FIPS-validated VPN solution. When procuring or validating your VPN appliance, confirm FIPS 140-2/140-3 module validation with the vendor or via their product documentation. Record the validation certificate number in your procurement and configuration records.
-
Enable modern, strong protocol versions and cipher suites only. Configure TLS 1.2 or 1.3 (disable SSLv3, TLS 1.0/1.1) for TLS-based VPNs and use IPsec IKEv2 with AES-GCM or CHACHA20-POLY1305. Explicitly disable weak ciphers (e.g., RC4, 3DES) and key exchange algorithms known to be vulnerable.
-
Use certificate-based authentication and integrate multifactor authentication (MFA). Deploy device or user certificates issued by your internal PKI or a trusted CA for VPN endpoints, and require MFA (e.g., push OTP, hardware token) to reduce the risk from stolen credentials.
-
Implement key and certificate lifecycle management. Maintain procedures to generate, distribute, renew, and revoke keys and certificates. Establish rotation schedules (e.g., rekey IPsec SAs regularly and renew TLS certs before expiry) and document the process for emergency revocation.
-
Harden and monitor the VPN environment. Keep VPN firmware and software patched, limit administrative access to a small group (system/network administrators), enable verbose session logging, and forward logs to a central log collector or SIEM for alerting and periodic review by employees with security responsibilities.
Example in a Small or Medium Business
A 75-employee engineering firm with remote staff implements AC.L2-3.1.13 by standardizing on a FIPS-validated VPN appliance from a reputable vendor. The IT manager verifies the appliance's FIPS certificate with the vendor and documents it in the procurement file. The team configures the VPN to use TLS 1.3 for SSL-based tunnels and IKEv2/IPsec with AES-GCM for site-to-site links, disabling older protocols and weak ciphers. User access requires a client certificate issued by the company's internal PKI plus MFA via a mobile authenticator; contractors receive time-limited certificates. The IT admin enforces automated certificate renewal, schedules quarterly rekeying of IPsec tunnels, and restricts VPN admin access to two system administrators. VPN logs are forwarded to a lightweight cloud log service where the security lead reviews failed connection attempts weekly and generates an incident ticket for any anomalies. Periodic testing and a vendor confirmation of continued FIPS compliance are documented to support internal audits and the company's compliance posture.
Summary
Meeting AC.L2-3.1.13 is straightforward for SMBs when you combine clear policy with focused technical controls: choose a FIPS-validated VPN appliance, enable modern TLS/IPsec configurations with strong ciphers, require certificate-based authentication and MFA, manage keys and certificates, and monitor VPN activity. These measures together ensure remote access sessions remain confidential over public networks and provide the documentation and operational controls needed for NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 compliance.
