AC.L2-3.1.15 — Authorize remote execution of privileged commands and remote access to security-relevant information.

What this control requires

Authorize remote execution of privileged commands and remote access to security-relevant information.

Source: CMMC L2 v2.13 AC.L2-3.1.15 / NIST SP 800-171 R2 3.1.15 (official control text).

Why this matters

This control protects against unauthorized actors executing administrative commands or accessing sensitive system configurations from outside your secure network perimeter. Privileged commands can disable security controls, delete audit logs, create backdoor accounts, or extract confidential data. Remote access multiplies risk because attackers often compromise personal devices, home networks, or public Wi-Fi to reach corporate systems. By requiring explicit authorization—not just authentication—before any remote privileged session, the organization creates an approval checkpoint that prevents credential theft from automatically translating into system compromise. This control defends against ransomware operators, nation-state actors, and insider threats operating from remote locations.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls