3.1.14 — One Front Door

The One-Liner

Fewer entry points = smaller attack surface = easier monitoring. Ideally, one managed gateway for all remote access.

What It Says

Route remote access via managed access control points.

What It Actually Means

Route all remote access through a controlled gateway — a VPN concentrator, a managed firewall, a SASE solution. No one connects directly to internal resources from the internet.

Why? One entry point means one place to:

• Apply authentication and MFA
• Encrypt traffic
• Monitor connections
• Block suspicious activity
• Terminate sessions

The assessor will look for bypass paths. Can someone RDP directly to a server without going through the VPN? Can someone hit a cloud admin portal without going through Conditional Access? If yes, you have a gap.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are managed access control points identified?	Documented gateways — how many and where
2	Is all remote access routed through them?	No bypass paths, no direct connections

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, remote access procedures, system security plan, list of managed access points, system config, audit logs

People they’ll talk to: Sysadmins, information security staff

Live demos they’ll ask for: “Show me your remote access architecture. Can anything bypass the managed access point?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How many managed access control points do you have?”
• “Is ALL remote access routed through them?”
• “Can someone bypass the VPN and connect directly to internal resources?”
• “Show me the configuration that enforces this.”

Real-World Example

A contractor with three offices routes all remote access through a single VPN concentrator at headquarters. Branch offices connect via site-to-site VPN. Remote users connect via client VPN. Cloud admin access goes through Conditional Access with named location policies. The assessor checks for bypass: no RDP ports open to the internet, no direct cloud admin access without Conditional Access.

---

Where Companies Trip Up

Cloud services bypass the VPN. Users accessing M365 or AWS directly from home without going through any managed access point.

Multiple unmanaged entry points. RDP open on the internet, cloud consoles with no access controls.

No enforcement. Policy says use VPN but nothing prevents direct connections.

---

How to Talk About This

To a CEO or Board

All remote access goes through a single managed gateway. There’s no back door, no direct connection. One entry point means one place to monitor and enforce controls.

To an Engineering Team

Single VPN concentrator. Site-to-site for branches. Client VPN for remote users. Conditional Access named locations for cloud. No RDP/SSH ports exposed to internet. All verified by external vulnerability scan.

---

Connected Requirements

Requirement	Why it matters here
3.1.12 — Eyes on Remote Access	Monitoring sessions through these access points
3.1.13 — Encrypt Remote Sessions	Encrypting traffic through the gateway
3.13.1 — Guard the Boundaries	Boundary controls at access points

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.14 | SPRS Weight: 1 point | POA&M Eligible: Yes