← Back

03.01.12 – Remote Access (NIST 800-171 Rev. 3)

2025-07-03

Dodeca Iconby DodecaCore

Welcome to our breakdown of 03.01.12 – Remote Access, part of the Access Control family under NIST SP 800-171 Revision 3.

This control is all about managing how users, systems, or administrators connect from outside your network. It protects your systems from one of the most exploited entry points: remote access.

03.01.12 – Remote Access

Remote access includes any connection that crosses external networks — like when an employee uses a VPN, an IT admin connects over SSH, or a vendor accesses your system through RDP.

While remote access enables flexibility and support, it also increases risk. This control ensures that:

  • Only approved connections are allowed
  • All access is routed through controlled entry points
  • Privileged actions are restricted when done remotely

One exposed admin port can open the floodgates for attackers.

03.01.12 – Key Requirements

To comply with this control, organizations must:

  • Define which types of remote access are permitted
  • Establish usage rules for configuration, authentication, and encryption
  • Authorize remote access before it’s granted
  • Route all access through approved access control points
  • Restrict remote execution of privileged commands or security-relevant actions

03.01.12 – Implementation Tips

Effective remote access control includes:

  • Maintain a list of allowed access types (VPN, RDP, SSH, etc.)
  • Use encryption, MFA, and logging for all remote connections
  • Deploy firewalls, jump boxes, or secure gateways
  • Require explicit approval for any remote session
  • Document rules for privileged remote access
  • Review logs regularly and update access as threats evolve

🌐 If it touches your systems from the outside, it must be controlled.

03.01.12 – Evidence

Be ready to show auditors:

  • Remote access policies and procedures
  • Diagrams or documentation of approved access points
  • System configuration files for VPNs, SSH, or RDP
  • Audit logs of remote access and privileged activity
  • A list of approved remote users and access methods
  • Monitoring records and alerts for remote sessions
  • SSP entries showing how remote access is handled

Include in your SSP

Document the following:

  • What remote access methods are permitted
  • Who is authorized to use them
  • How remote sessions are secured and monitored

Why it matters..

Remote access is a major convenience — and a major risk. Whether it's a misconfigured VPN or a forgotten RDP port, attackers love to target external entry points.

Remote access is not the problem. Uncontrolled remote access is.

DodecaCore

helps secure your remote access — with centralized control points, policy enforcement, and audit-ready visibility.

  • Gateways and firewalls for managed access
  • Audit-ready remote session logs
  • Role-based controls for privileged remote actions
  • Documentation tools built for your SSP

Coming up next in our NIST 800-171 Rev. 3 series: 03.01.13 – Wireless Access. We’ll cover how to secure Wi-Fi, Bluetooth, and other wireless technologies — or when to restrict them entirely.

Need help securing remote access?

Visit dodecacore.com

for policy-based enforcement, audit trails, and centralized access control.