NIST SP 800-171
Control 3.1.14
Route Remote Access via Managed Access Control Points
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Route remote access via managed access control points.
What This Means in Plain English
All remote connections must go through a limited number of controlled entry points (like a VPN gateway or secure web portal). Users should not be able to bypass these gateways and connect directly to internal systems.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- All remote access routed through FortiGate VPN concentrator as the sole managed entry point
- FortiGate firewall rules blocking direct external access to internal resources
- Cisco Meraki SD-WAN ensuring branch office traffic routes through central security controls
- Microsoft Entra Application Proxy providing secure access to internal web applications without direct exposure
- Network architecture documentation showing all managed access control points
Assessment Guidance
Assessors will review network diagrams confirming all remote access flows through managed access points, test that direct connections to internal systems from external networks are blocked, and verify that all access control points are monitored.
Common Implementation Gaps
- Direct RDP or SSH ports exposed to the internet
- Shadow IT cloud services bypassing the corporate VPN
- IoT devices with direct internet connectivity
- No network diagram showing managed access control points
- Multiple unmonitored entry points into the network
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-17(3) |
| PCI DSS | Req 1.3 - Restrict inbound and outbound traffic |
Need Help Implementing 3.1.14?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment