NIST 800-53 REV 5 • ACCESS CONTROL

AC-17(3)Managed Access Control Points

Route remote accesses through authorized and managed network access control points.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

Practitioner Notes

All remote access must route through a limited number of managed access control points. Think of it as funneling all remote connections through a controlled gateway rather than allowing direct connections to individual servers.

Example 1: Deploy all remote access through a single VPN concentrator and a single RDP gateway. Block direct RDP (3389) and SSH (22) from the internet at your perimeter firewall. All remote connections must go through the VPN first, then the jump server.

Example 2: In Azure, use Azure Bastion as the sole access point for RDP and SSH to virtual machines. Remove public IP addresses from all VMs and configure NSGs to block inbound RDP/SSH from anywhere except the Bastion subnet. All remote admin sessions go through Bastion.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management