3.1.13 — Encrypt Remote Sessions

The One-Liner

Using AES-256 isn’t enough. The software implementing the encryption must be FIPS 140 validated. That’s the part most people miss.

What It Says

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

What It Actually Means

All remote connections must be encrypted: VPN, TLS, SSH, HTTPS. No unencrypted remote access to anything containing CUI.

The critical detail: FIPS 140 validation. It’s not enough to use an approved algorithm (like AES-256). The actual software or hardware module performing the encryption must have a FIPS 140 validation certificate. You need to be able to show that certificate to the assessor.

Check your VPN product, your TLS implementation, your SSH server. Do they have FIPS 140 validation? If not, you have a gap.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are cryptographic mechanisms identified?	You know what encryption you’re using for each remote access method
2	Are they implemented?	They’re configured, enforced, and FIPS 140 validated

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, remote access procedures, system security plan, system config, cryptographic mechanism documentation, FIPS validation certificates, audit logs

People they’ll talk to: Sysadmins, information security staff, system developers

Live demos they’ll ask for: “Show me the FIPS validation certificate for your VPN solution. Show me the cipher suite configuration.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What cryptographic mechanisms are used for remote access sessions?”
• “Are TLS and IPSec using FIPS-validated encryption?”
• “Is the module implementing the algorithm FIPS 140 validated — not just the algorithm itself?”
• “Can you show the FIPS validation certificate?”

Real-World Example

A contractor uses a VPN solution with a FIPS 140-2 validated cryptographic module. The IT admin has the validation certificate on file and can show it. The VPN is configured to use only FIPS-approved cipher suites — older, weaker options are disabled. Cloud access over HTTPS uses TLS 1.2+ with FIPS-validated modules in the browser and server.

---

Where Companies Trip Up

Right algorithm, unvalidated module. Using AES-256 but the VPN software hasn’t been FIPS 140 validated. The algorithm isn’t what gets validated — the module is.

Split tunneling. Remote users sending CUI traffic outside the encrypted tunnel (see 3.13.7).

Legacy protocols. Still allowing SSLv3 or TLS 1.0/1.1. Disable them.

---

How to Talk About This

To a CEO or Board

Every remote connection is encrypted with FIPS-validated cryptography. We have the validation certificate on file.

To an Engineering Team

VPN with FIPS 140-2 validated module. TLS 1.2+ only, FIPS cipher suites enforced. Legacy protocols disabled. FIPS validation cert in evidence binder.

---

Connected Requirements

Requirement	Why it matters here
3.1.12 — Eyes on Remote Access	Monitoring the sessions this encrypts
3.13.8 — Encrypt in Transit	Encrypting CUI in transit generally
3.13.11 — FIPS or It Doesn’t Count	The FIPS validation requirement

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.13 | SPRS Weight: 5 points | POA&M Eligible: No