GRCWatch
Sign inStart free trial

CIS Control 12.7: Ensure Remote Devices Utilize a VPN

Remote work exposes enterprise resources to unauthorized access if devices connect without encryption. CIS Control 12.7 mandates VPN authentication before any resource access, creating a security perimeter around your distributed workforce. This control is foundational for organizations managing remote teams across multiple locations.

What this means

CIS Control 12.7 requires that all end-user devices accessing enterprise resources must first authenticate through an enterprise-managed VPN and authentication infrastructure. This ensures encrypted, authenticated connections for remote access and prevents unauthorized access to sensitive systems and data from uncontrolled networks.

How to comply

  1. 1.Deploy enterprise-managed VPN infrastructure with strong authentication (MFA recommended) for all remote access
  2. 2.Configure authentication systems to validate user identity before granting VPN access
  3. 3.Establish policies requiring mandatory VPN connection before any enterprise resource access
  4. 4.Disable direct access to enterprise resources from non-VPN connections
  5. 5.Monitor and log all VPN authentication attempts and connections
  6. 6.Regularly test VPN connectivity and authentication workflows across device types
  7. 7.Document VPN architecture, authentication requirements, and user access procedures

Evidence auditors look for

  • VPN system configuration documentation showing authentication requirements
  • Authentication infrastructure logs demonstrating user verification before access
  • Network firewall rules blocking non-VPN connections to enterprise resources
  • Device management policies requiring VPN client installation and use
  • VPN connection logs showing successful user authentication timestamps
  • Access control lists restricting resource access to authenticated VPN sessions
  • Security policy documentation outlining VPN usage requirements for remote workers

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically collects VPN authentication logs, validates user MFA compliance, and maps connection evidence to CIS 12.7 requirements—eliminating manual audit log compilation and accelerating control validation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 12.1 — Authorize Network AccessCIS Control 12.6 — Use Standard Hardening Configuration TemplatesCIS Control 13.1 — Maintain and Enforce Network Segmentation