NIST 800-171 Control 3.1.14: Route Remote Access Through Managed Access Control Points
Remote access presents significant security risks if not properly controlled. NIST SP 800-171 control 3.1.14 requires organizations to route all remote access through managed access control points, ensuring visibility and enforcement of security policies. This control is critical for protecting CUI and maintaining a defensible security perimeter.
What this means
Control 3.1.14 mandates that remote access to systems cannot bypass centralized security checkpoints. All remote connections—whether VPN, jump servers, or remote desktop sessions—must pass through managed gateways where authentication, authorization, and monitoring occur. This eliminates shadow access paths and ensures every remote session is subject to the same security controls as on-premise traffic.
How to comply
- 1.Deploy a centralized remote access gateway (VPN appliance, zero-trust access portal, or jump host) that all remote users must connect through
- 2.Configure the gateway to enforce multi-factor authentication for all remote connection attempts
- 3.Implement network routing policies that prevent direct connections from external networks to internal systems, forcing traffic through the gateway
- 4.Log all remote access sessions with timestamps, user identifiers, and connection details
- 5.Regularly audit routing configurations and access logs to detect unauthorized bypass attempts
- 6.Document the remote access architecture, including approved gateways, routing rules, and exceptions
- 7.Test remote access controls quarterly to confirm that direct connections are blocked and all traffic flows through managed checkpoints
Evidence auditors look for
- VPN gateway configuration showing all remote access routed through centralized appliance
- Network firewall rules blocking direct remote connections and permitting only gateway traffic
- Multi-factor authentication logs for remote access gateway
- Remote access session logs with user, timestamp, source IP, and destination systems
- Jump host or bastion server configuration enforcing single point of entry
- Zero-trust network access control policy documentation
- Quarterly access control testing reports confirming bypass prevention
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the monitoring and logging of all remote access sessions through managed control points, generates compliance evidence from your gateway logs, and alerts you to any unauthorized access attempts—eliminating manual log review for 3.1.14.
See how GRCWatch handles this control automatically
Start free trial