03.01.14 —

What this control requires

Source: NIST SP 800-171 R3 §03.01.14 (official control text).

Why this matters

This control requires organizations to route remote access connections through managed access control points rather than allowing direct connections to internal systems. Without centralized control points, attackers who compromise remote access credentials can move laterally through networks undetected. Managed access points—such as VPN concentrators, jump servers, or zero-trust network access gateways—create chokepoints where authentication, authorization, logging, and threat inspection occur. This protects sensitive data by ensuring every remote session is authenticated, encrypted, monitored, and terminable. For organizations handling Controlled Unclassified Information, this prevents adversaries from establishing covert channels that bypass security monitoring and exfiltrate data without detection.

What evidence assessors expect

Assessors typically look for: configuration export, screenshot, PDF, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls