3.1.12 — Eyes on Remote Access

The One-Liner

If you can’t see who’s connected remotely right now and terminate any session with one click, you’re not meeting this requirement.

What It Says

Monitor and control remote access sessions.

What It Actually Means

Remote access isn’t just VPN to headquarters. It includes:

• VPN connections
• Remote desktop sessions
• Cloud email access from outside the office
• Cloud file storage access
• AWS/Azure/GCP console access
• Any connection from outside your physical environment to systems containing CUI

For every remote session, you need to know: who’s connected, from where, using what method, and what they’re accessing. You need the ability to terminate any session immediately.

Don’t forget cloud services — if someone accesses M365 or AWS from home, that’s remote access.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is remote access permitted and defined?	A policy stating when, how, and by whom
2	Are permitted methods identified?	VPN, RDP, cloud — each one documented
3	Are remote sessions controlled?	You can manage, restrict, and terminate them
4	Are remote sessions monitored?	You can see who’s connected and what they’re doing

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, remote access procedures, configuration management plan, system security plan, system config, remote access authorizations, audit logs

People they’ll talk to: Remote access managers, sysadmins, information security staff

Live demos they’ll ask for: “Show me who is connected remotely right now. Show me you can terminate a session.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What policies identify when remote access is permitted and what methods must be used?”
• “Are systems configured to only permit approved remote access sessions?”
• “Are automated or manual mechanisms used for monitoring remote connections?”
• “Can you show me who is currently connected remotely?”

Real-World Example

A contractor uses Always On VPN for network access and Conditional Access for cloud apps. Entra ID sign-in logs show every remote authentication — location, device, app accessed. The security officer can see all active sessions in real time and revoke any session through Entra. VPN connections are logged with source IP, duration, and bytes transferred.

---

Where Companies Trip Up

No remote access policy. People connect however they want with no defined rules.

Cloud access is invisible. VPN is monitored but M365, AWS Console, and other cloud access isn’t tracked.

Can’t terminate sessions. You can see who’s connected but can’t force-disconnect them.

Personal devices with no controls. Remote access from unmanaged devices with no visibility.

---

How to Talk About This

To a CEO or Board

We see every remote connection in real time — who, from where, using what method. We can terminate any session immediately if something looks wrong.

To an Engineering Team

Always On VPN + Conditional Access. Entra sign-in logs feed Sentinel. Real-time session visibility in Entra admin. VPN logs: source IP, duration, bytes. One-click session revocation.

---

Connected Requirements

Requirement	Why it matters here
3.1.13 — Encrypt Remote Sessions	Encrypting the sessions you monitor here
3.1.14 — One Front Door	Routing through managed access points
3.5.3 — Multifactor Auth	MFA required for remote access

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.12 | SPRS Weight: 5 points | POA&M Eligible: No