Title

Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions. (Cat II impact)

Discussion

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection. Rationale for non-applicability: Remote access applications are not within the scope of this SRG. In general, remote access to the mobile device is most appropriately controlled by the operating system, not third party applications. Applications supporting remote access to the mobile device are not permitted on DoD CMD, with the exception of native OS support for personal hotspots and USB tethering that is compliant with the MOS SRG. The SRG scope also does not cover applications which include plug-in or portable code that will make the application: (i) support multiple users; (ii) enable remote user access or administration; and (iii) provide network or application services to other nodes.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46393r1_rule

Vulnerability ID: V-35106

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.