3.1.13 — Encrypt remote access sessions | NIST 800-171 Control

All remote access is protected with strong cryptography.

What it actually means

Whatever path remote users take in, the session has to be encrypted end to end — TLS 1.2+ or an IPsec VPN. This pairs with 3.1.12: 3.1.12 says monitor and control the session; 3.1.13 says encrypt it.

Pass or fail — an assessor needs a "yes" to each

Remote sessions use TLS 1.2+ or IPsec VPN (strong, current protocols).
No plaintext or weak/legacy protocols are permitted for remote access.

What to have ready

VPN/gateway crypto configuration showing TLS 1.2+/IPsec
Disabled legacy protocol settings

Where teams trip up

Legacy TLS/SSL or weak ciphers still enabled
Assuming the VPN is encrypted without verifying the configuration

Not Applicable only if there is genuinely no remote access (document it, same as 3.1.12).

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.1.12 — Monitor and control the remote sessions you're encrypting 3.13.11 — Crypto protecting CUI must be FIPS-validated

← Back to the Control Library