03.01.13 —

What this control requires

Source: NIST SP 800-171 R3 §03.01.13 (official control text).

Why this matters

This control addresses remote access to organizational systems, requiring explicit authorization and monitoring of all connections from external locations. Remote access creates expanded attack surfaces because data traverses networks outside the organization's direct control. Threat actors frequently target VPNs, remote desktop services, and cloud access points to gain initial footholds. Without proper controls, compromised credentials or unpatched remote access tools become direct pathways to sensitive information. This control protects Controlled Unclassified Information by ensuring only authorized users can connect remotely, connections are encrypted, and all remote sessions are logged and monitored for anomalous behavior that could indicate compromise.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls