Every remote connection into your environment is managed and logged.
What it actually means
Remote access is the most common way attackers get in, so the program weights it heavily. Remote sessions must come through approved, managed methods (VPN or a cloud identity gateway), be logged centrally, and be subject to device-compliance and MFA checks. You control how people connect and you can see when they do.
Pass or fail — an assessor needs a "yes" to each
- Remote access is permitted only through approved, managed paths.
- Remote sessions are logged centrally.
- Device-compliance and MFA checks gate remote connections.
What to have ready
- Remote-access policy
- VPN / gateway configuration and logs
- Conditional-access policies requiring compliant devices + MFA
Where teams trip up
- Ad-hoc remote tools (random RDP, consumer remote-desktop apps) outside the managed path
- No logging of remote sessions
- Remote access without MFA
If your environment genuinely allows no remote access, this can be Not Applicable — but you must document that, and prohibit enabling remote access without a change and reassessment.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →