NIST 800-53 REV 5 • ACCESS CONTROL

AC-6(3)Network Access to Privileged Commands

Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Practitioner Notes

Network access to privileged commands should be even more restricted than local access. Running admin commands over the network increases the risk of interception and misuse.

Example 1: Restrict remote PowerShell and SSH access to admin servers using Windows Firewall rules or IPtables. Only allow connections from your Privileged Access Workstation (PAW) subnet — for example, New-NetFirewallRule -Direction Inbound -LocalPort 5986 -RemoteAddress 10.10.50.0/24 -Action Allow.

Example 2: Deploy a jump server (bastion host) that all remote admin connections must pass through. In Azure, use Azure Bastion to provide RDP and SSH access to VMs without exposing them to the public internet. All sessions through Bastion are logged and auditable.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management