Evidence – AC.L2-3.1.16
Authorize Remote Access to Privileged Accounts
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.16, which requires authorization for remote access to privileged accounts.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Remote access to privileged accounts is explicitly authorized
- Privileged accounts cannot be accessed remotely without approval
- Access is enforced through identity and device controls
Evidence Artifacts
1. Remote Access Authorization for Privileged Accounts
Evidence demonstrating authorization may include:
- Conditional Access policies restricting privileged account access
- Device compliance requirements for remote privileged access
- Restrictions preventing privileged accounts from accessing systems remotely unless authorized
Examples of acceptable sources:
- Microsoft Entra ID Conditional Access policies for admin roles
- Microsoft Intune device compliance enforcement
- Google Workspace Admin role access restrictions
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
Authorization applies specifically to privileged accounts and is enforced before remote access is granted.