>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-17Remote Access

LI-SaaS
Low
Moderate
High

>Control Description

a

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

b

Authorize each type of remote access to the system prior to allowing such connections.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections.

The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code.

Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3.

Enforcing access restrictions for remote access is addressed via AC-3.

>Cross-Framework Mappings

SCF

NET-14
Compare

>Programmatic Queries

Beta

Related Services

Systems Manager Session Manager
Client VPN
Direct Connect

CLI Commands

List active SSM sessions
aws ssm describe-sessions --state Active
Check Client VPN endpoints
aws ec2 describe-client-vpn-endpoints
List bastion host instances
aws ec2 describe-instances --filters 'Name=tag:Name,Values=*bastion*'
Check VPN connections
aws ec2 describe-vpn-connections
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Zscaler Zero Trust Exchange

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-17 (Remote Access)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-17?
  • How frequently is the AC-17 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-17?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-17 requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-17?
  • How is AC-17 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-17 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-17?
  • What audit logs, records, reports, or monitoring data validate AC-17 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-17 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-17 compliance?

Ask AI

Configure your API key to use AI features.