AC.L2-3.1.13 — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
What this control requires
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Source: CMMC L2 v2.13 AC.L2-3.1.13 / NIST SP 800-171 R2 3.1.13 (official control text).
Why this matters
Remote access sessions—VPN connections, remote desktop, SSH tunnels, and web-based admin portals—transit public networks where adversaries can intercept traffic. Without encryption, credentials, file contents, and session data travel in clear text, enabling credential theft and data exfiltration. This control mandates FIPS 140-2 validated cryptography (or equivalent standards) for all remote access channels, ensuring confidentiality even when adversaries have network visibility. It protects CUI accessed by employees, contractors, and administrators connecting from home networks, hotels, coffee shops, or partner sites.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L2-3.1.13.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →