03.01.15 —
What this control requires
Source: NIST SP 800-171 R3 §03.01.15 (official control text).
Why this matters
This control requires organizations to authorize and monitor all remote access sessions to their systems. Remote access expands the attack surface significantly—adversaries frequently target VPNs, remote desktop services, and cloud management interfaces to gain unauthorized entry. Without proper authorization controls, any compromised credential or misconfigured service becomes a direct path into sensitive systems. By implementing strong authentication, session monitoring, and explicit authorization for remote connections, organizations protect Controlled Unclassified Information from interception and unauthorized access. This is particularly critical as remote work increases and more administrative functions occur over networks rather than through direct console access.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.01.15.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →