zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-05 17:28:31 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/ac-17.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

2.9 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

ac-17 - [catalog] Remote Access

Control Statement

  • [a] Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

  • [b] Authorize each type of remote access to the system prior to allowing such connections.

Control guidance

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

Control assessment-objective

usage restrictions are established and documented for each type of remote access allowed; configuration/connection requirements are established and documented for each type of remote access allowed; implementation guidance is established and documented for each type of remote access allowed; each type of remote access to the system is authorized prior to allowing such connections.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item ac-17_smt.a

Implementation b.

Add control implementation description here for item ac-17_smt.b