Description
The organization authorizes, monitors, and controls all methods of remote access to the information system.
Supplemental Guidance
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. The organization restricts access achieved through dial-up connections (e.g., limiting dial-up access based upon source of request) or protects against unauthorized connections or subversion of authorized connections (e.g., using virtual private network technology). NIST Special Publication 800-63 provides guidance on remote electronic authentication. If the federal Personal Identity Verification (PIV) credential is used as an identification token where cryptographic token-based access control is employed, the access control system conforms to the requirements of FIPS 201 and NIST Special Publications 800-73 and 800-78. NIST Special Publication 800-77 provides guidance on IPsec-based virtual private networks. Related security control: IA-02.
Changes from Rev 4
Changes control text from 'remote access' to 'each type of remote access' Adds 'information exchange' and other minor wording in discussion
MITRE ATT&CK Techniques (81)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.