NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Control Family: Access Control
Control Type: Derived
SPRS Value: 5
SPRS Supplemental Guidance:
Do not subtract points if remote access not permitted
CMMC Level(s):
AC.L2-3.1.13
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-17(2)
NIST Supplemental Guidance:
NIST SP 800-46
NIST SP 800-77
NIST SP 800-113
Discussion:
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. See [NIST CRYPTO]; [NIST CAVP]; [NIST CMVP]; National Security Agency Cryptographic Standards.
Determining Statements (NIST SP 800-171Ar2)
Upon assessment, assessors must determine if-
3.1.13[a] cryptographic mechanisms to protect the confidentiality of remote access
sessions are identified.
3.1.13[b] cryptographic mechanisms to protect the confidentiality of remote access
sessions are implemented.
Assessors are instructed to-
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Cryptographic mechanisms protecting remote access sessions]
Potential Solutions Based on Staffing
1-10 FTE |
10-49 FTE |
50-249 FTE |
250-999 FTE |
1000+ FTE |
|---|---|---|---|---|
| WatchGuard Firebox UTM | WatchGuard Firebox UTM | WatchGuard Firebox UTM | Multiple Options | Multiple Options |
| Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor |
| Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune |
| DISA STIGs | DISA STIGs | Tripwire Enterprise | Tripwire Enterprise | Tripwire Enterprise |
| CIS Benchmarks | CIS Benchmarks | DISA STIGs | DISA STIGs | DISA STIGs |
| CIS SecureSuite | CIS SecureSuite | CIS Benchmarks | CIS Benchmarks | CIS Benchmarks |
| CIS SecureSuite | CIS SecureSuite | CIS SecureSuite |