Evidence – AC.L2-3.1.14
Route Remote Access Through Managed Access Control Points
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.14, which requires remote access to be routed through managed access control points.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Remote access is routed through centrally managed access controls
- Access decisions are enforced by organizational policy
- Direct, unmanaged access paths are not permitted
Evidence Artifacts
1. Managed Cloud Access Enforcement
Evidence demonstrating managed access control points may include:
- Centralized identity-based access controls governing remote access
- Device trust requirements enforced before access is granted
- Denial of access from unmanaged or non-compliant devices
Examples of acceptable sources:
- Microsoft Entra ID Conditional Access policies
- Microsoft Intune device compliance enforcement
- Google Workspace Admin Console access control policies
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
In cloud-first environments, managed access control points are implemented through identity, device, and access policy enforcement rather than traditional network gateways.