NIST 800-53 REV 5 • ACCESS CONTROL

AC-17(6)Protection of Mechanism Information

Protect information about remote access mechanisms from unauthorized use and disclosure.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6)).

Practitioner Notes

Protect information about your remote access mechanisms — VPN configurations, IP addresses, authentication methods. If attackers know your setup, they can target it more effectively.

Example 1: Store VPN configuration files, gateway IP addresses, and remote access architecture documents in a restricted SharePoint site accessible only to the IT security team. Do not post VPN setup instructions on your public-facing website or in unprotected wikis.

Example 2: Remove version banners from your VPN and remote access servers. In Apache httpd used for VPN portals, set ServerTokens Prod. On your SSH servers, modify the banner in sshd_config to not reveal the SSH version. This reduces reconnaissance opportunities for attackers.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management