Evidence – AC.L2-3.1.17
Authorize Remote Access to Non-Privileged Accounts
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.17, which requires authorization for remote access to non-privileged accounts.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Remote access is explicitly enabled and controlled
- Only authorized users can access systems remotely
- Remote access is restricted to approved devices and identities
Evidence Artifacts
1. Authorization for Remote User Access
Evidence demonstrating authorization may include:
- Conditional Access policies governing remote user access
- Device compliance or trust requirements for remote access
- Restrictions preventing access from unauthorized locations or devices
Examples of acceptable sources:
- Microsoft Entra ID Conditional Access user access policies
- Microsoft Intune device compliance requirements
- Google Workspace Admin Console access controls
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
Remote access authorization applies to standard user accounts and is enforced through cloud-based access controls.