What is the Cuick Trac Managed Enclave?

The Cuick Trac Managed Enclave (CTME), at its core, is a Cloud Service Offering (CSO) that achieved FedRAMP Moderate Equivalency from a FedRAMP-recognized 3PAO. The Cuick Trac Managed Enclave is pre-configured and fully managed, and satisfies the technical requirements of NIST SP 800-171 Rev 2. Because Cuick Trac is a virtual enclave with defined technical boundaries, it allows for control of CUI data flows, as CUI never touches the OSC's (organization seeking certification) network or device. Cuick Trac's technology and compliance advisory support guides you towards compliance with DFARS 252.205-7012, NIST 800-171, and the CMMC 2.0 requirements. Cuick Trac was purpose built for businesses who lack the bandwidth and resources to implement and manage the required technical and security controls, required by the Federal Government for protecting CUI. The Defense Industrial Base (DIB) needs solutions that are affordable, practical and secure by default, that can also be implemented in a shorter amount of time.

How does the Cuick Trac Managed Enclave help me?

The purpose of Cuick Trac is to help businesses who currently work with, or want to do work with, the Department of Defense (DoD) and federal government to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), per the requirements in their contracts. Cuick Trac takes responsibility for 78% of the assessment objectives within NIST 800-171A/CMMC Level 2 assessment guides, and our team of compliance advisors guide our customers through the remaining 22%. This significantly decreases your Plan of Action and Milestones (POA&M) and internal responsibility burden for our customers.

Does Cuick Trac replace my MSP provider or internal IT team?

No. With CTME, our goal is to always work with as much of your current business processes that are already in place, including your current MSP or internal IT team. Disruption to your business is detrimental, thus a collaborative approach will be key in regard to how CUI data is collected, stored and accessed. As a FedRAMP Moderate Equivalent Cloud Service Offering (CSO) from a Cloud Service Provider (CSP), your MSP or internal IT team can leverage the CTME for your CUI program, lower the burden internally.

Is Cuick Trac another tool or software application?

No, Cuick Trac is not a software. Cuick Trac is a Cloud Service Offering (CSO) that is a fully managed virtual enclave/controlled environment on U.S. soil, managed only by U.S. persons. CTME has everything you need from a technology standpoint, to meet the requirements such as a SIEM, encryption at rest, encryption in transit (email and file transfer), patch management, secure back-ups, MFA and more. Unlike a single application or tool that does one or two of those requirements, Cuick Trac meets ALL technical controls for NIST 800-171 and CMMC Level 2.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces 'sensitive but unclassified' and other similar control markings. To learn more, download our ebook or see examples of CUI.

What is DFARS, NIST 800-171 and CMMC?

The DFARS 252.204-7012 clause says that if you handle Controlled Unclassified Information, you should have implemented NIST SP 800-171 no later than Dec 31, 2017. Since this deadline has passed and many defense organizations don't meet this current requirement, the DoD developed CMMC. Organizations within the DoD supply chain need a risk-based approach to become compliant, and more importantly, secure their environments where CUI is processed, stored and transmitted. NIST SP 800-171 is the National Institute of Standards & Technology (NIST) special publication providing 110 recommended security controls for protecting the confidentiality of CUI (Controlled Unclassified Information – a subset of CDI). The Cybersecurity Maturity Model Certification (CMMC) is the standard the Department of Defense (DoD) is using to verify the members of the Defense Industrial Base (DIB) fully meet their cybersecurity requirements, prior to contract awards.

What is an SPRS score, and how do I get one?

In September, 2020, the DoD released a new interim rule, approved by the Office of Management and Budget (OMB), that requires all contractors subject to DFARS 252.204-7012 within the DoD supply chain, to have an accurate assessment on record, prior to award. The interim rule becomes a bridge between the self-assessment process of DFARS 252.204-7012/NIST 800-171 and the CMMC certification process. The Supplier Performance Risk System (SPRS) is the official DoD system for recording these assessments. Your SPRS score is a numerical representation of your compliance status with NIST 800-171. The maximum score is 110, and a lower score indicates more controls are not yet implemented. You get one by completing a self-assessment and submitting it to the SPRS website.

Do I need a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) Before Utilizing Cuick Trac?

No. While you will need an SSP and POA&M for your CMMC Level 2 assessment, you do not need to have them completed before utilizing Cuick Trac. In fact, many of our customers utilize our compliance advisory services to help them complete their SSP and POA&M after they have deployed the Cuick Trac Managed Enclave. The CTME provides the technical controls and documentation that form the foundation of your SSP and significantly reduces the items on your POA&M.

What happens if I'm not compliant with DFARS/NIST 800-171?

If you are not compliant with DFARS 252.204-7012, you are in breach of contract with the DoD. This can lead to a variety of negative consequences, including the inability to bid on new contracts, loss of current contracts, and potential legal action. The CMMC framework is designed to ensure that all DIB companies are compliant, and non-compliance will eventually result in the inability to work with the DoD.

Who mandates these requirements?

The requirements are mandated by the Department of Defense (DoD) through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which references NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC) is the DoD's verification mechanism for ensuring compliance with these requirements.

We don't have a SIEM or any way to monitor events/incidents/breaches, does Cuick Trac do that?

Yes. Cuick Trac is a comprehensive solution that includes a Security Information and Event Management (SIEM) system as part of the managed enclave. The CTME includes everything you need from a technology standpoint to meet the requirements, including monitoring for events, incidents, and breaches, which is a critical control for NIST 800-171 and CMMC Level 2.

3.13.12: Monitor and Control Remote Sessions to Secure CUI Access

June 2, 2025

NIST 800-171 Control 3.13.12: Monitor and Control Remote Access Sessions to Secure CUI

Control 3.13.12 within NIST Special Publication 800-171 requires organizations handling Controlled Unclassified Information to implement comprehensive monitoring and control mechanisms for all remote access sessions. This control ensures that when users connect to organizational systems from external networks, their activities are tracked, logged, and subject to ongoing oversight. The control applies to all forms of remote access including Virtual Private Networks, Remote Desktop Protocol, Secure Shell connections, and cloud-based system access where CUI may be present or accessible.

Remote access represents a significant security vector because it involves connections traversing untrusted networks such as the internet, home networks, and public wireless access points. Without proper monitoring and control, organizations cannot detect compromised sessions, insider threats, unauthorized privilege escalation, or credential misuse. This control establishes the foundation for accountability by ensuring that every remote connection is visible to security operations personnel and can be analyzed for suspicious behavior in real time or during forensic investigations.

Understanding the Scope and Requirements of Control 3.13.12

The monitoring requirement encompasses real-time visibility into remote session activities. Organizations must implement technical solutions that capture connection events as they occur and make this information available to security operations teams. Monitoring includes tracking when users initiate remote connections, which systems or resources they access during those sessions, and when sessions terminate. For privileged remote access sessions, monitoring extends to capturing administrative commands and configuration changes made during the connection.

Control mechanisms complement monitoring by enforcing policies that restrict remote access based on organizational requirements. This includes limiting which users are authorized for remote access, specifying which systems can be accessed remotely, enforcing session timeouts for idle connections, and implementing technical controls that prevent unauthorized actions during remote sessions. Control functions ensure that remote access permissions align with documented policies and that deviations trigger alerts or automatic enforcement actions.

The control does not prescribe specific technologies but requires organizations to implement solutions appropriate to their environment and risk profile. Common implementation approaches include deploying VPN concentrators with integrated logging capabilities, utilizing Security Information and Event Management platforms to aggregate and analyze remote access logs, implementing privileged access management solutions for administrative sessions, and configuring remote access gateways to enforce policy-based restrictions.

Implementation Steps for Monitoring Remote Access Sessions

Organizations should begin implementation by identifying all methods through which remote access to CUI systems occurs. This inventory must include approved remote access tools such as corporate VPN solutions, remote desktop services, cloud management consoles, and any third-party remote support applications. Each access method must be evaluated to determine its logging capabilities and whether it can provide the visibility required for compliance.

Session logging configuration should capture essential data elements for every remote connection. At minimum, logs must record the authenticated user identity, source IP address from which the connection originated, timestamp for session establishment, timestamp for session termination, and identification of target systems accessed during the session. For administrative or privileged remote sessions, organizations should implement session recording or command logging to capture the specific actions taken during the connection. This granular logging enables security teams to reconstruct user activities during incident investigations and verify that remote access privileges were not misused.

Real-time monitoring capabilities should be established to detect suspicious remote access patterns as they occur. Organizations can implement automated alerting for high-risk scenarios such as remote connections from unexpected geographic locations, multiple failed authentication attempts preceding a successful login, remote access occurring outside normal business hours when not anticipated, unusually long session durations, and attempts to access systems or data beyond the user’s authorized scope. These alerts enable rapid response to potential security incidents before significant damage occurs.

Regular log review processes must be established as part of security operations. Even with automated alerting, periodic human analysis of remote access logs helps identify subtle patterns that automated systems might miss. Organizations should define review frequencies based on risk, with higher-risk environments requiring more frequent analysis. Review activities should be documented to demonstrate ongoing compliance during assessments.

Establishing Control Mechanisms for Remote Sessions

Policy-based access restrictions form the foundation of session control. Organizations must document which personnel roles are authorized for remote access, under what circumstances remote access is permitted, and which systems or data can be accessed remotely. These policies should be implemented through technical controls rather than relying solely on user compliance. For example, firewall rules and network access control systems should enforce which users can establish remote connections to specific network segments.

Session timeout configurations prevent abandoned or forgotten remote sessions from remaining active indefinitely. Organizations should implement automatic session termination after a defined period of inactivity. The appropriate timeout duration balances security and usability, with more sensitive environments warranting shorter timeout periods. Session timeouts should apply to the remote connection itself rather than only the applications accessed during the session, ensuring that the network pathway closes when activity ceases.

Strong authentication requirements work in conjunction with monitoring to ensure that remote sessions originate from legitimate users. While multi-factor authentication is addressed in separate NIST controls, its implementation directly supports the monitoring objectives of control 3.13.12 by providing higher assurance that logged user identities correspond to actual authorized individuals. Organizations should integrate authentication systems with monitoring platforms so that authentication events and subsequent session activities are correlated in log analysis.

Encryption enforcement ensures that remote session content cannot be intercepted during transmission across untrusted networks. While control 3.1.13 specifically addresses cryptographic protection, proper encryption implementation enables effective monitoring by ensuring that organizations control the encryption endpoints. When remote sessions use end-to-end encryption that terminates at organizational gateways, monitoring systems can inspect session content for malicious activity without compromising confidentiality during transmission.

Compliance Evidence and Assessment Preparation

Assessors evaluating compliance with control 3.13.12 will examine both technical configurations and operational processes. Organizations should prepare documentation demonstrating that monitoring and control capabilities are implemented and actively used. Required evidence typically includes remote access policies documenting authorized use cases and restrictions, configuration exports from VPN gateways showing logging settings, sample remote access logs covering a representative time period, alert configurations for suspicious remote access activity, and records of log review activities performed by security operations personnel.

Technical demonstrations may be requested during assessments to verify that monitoring and control mechanisms function as documented. Assessors might ask to observe the establishment of a remote session and confirm that appropriate log entries are generated, review real-time monitoring dashboards showing active remote sessions, examine how alerts are triggered when policy violations occur, or verify that session timeouts and other control mechanisms operate as configured. Organizations should ensure that personnel responsible for managing remote access systems can articulate how monitoring and control functions operate and demonstrate system capabilities during assessment activities.

Common deficiencies identified during assessments include incomplete logging that fails to capture essential session details, logs that are generated but never reviewed or analyzed, monitoring systems that are deployed but not configured to alert on suspicious activities, and inconsistent application of controls across different remote access methods. Organizations should conduct internal audits before formal assessments to identify and remediate these gaps.

Integration with Complementary Security Controls

Control 3.13.12 operates as part of a broader remote access security framework within NIST 800-171. Organizations must understand how this control relates to and depends upon other requirements to achieve comprehensive protection. Control 3.1.13 mandates cryptographic protection for remote sessions, ensuring that monitored sessions cannot be eavesdropped during transmission. Without encryption, monitoring provides visibility into session establishment but cannot protect the content being accessed.

Control 3.1.14 requires routing remote access through managed access control points rather than allowing arbitrary peer-to-peer connections. This routing requirement enables centralized monitoring by ensuring all remote sessions pass through systems where logging and inspection can occur. Organizations that permit distributed or unmanaged remote access methods will find it extremely difficult to achieve comprehensive monitoring compliance.

Control 3.5.3 requires multi-factor authentication for network-based access to CUI systems. Since remote access by definition involves network-based connections, MFA is mandatory for remote sessions. The integration of MFA with session monitoring creates stronger assurance that logged user identities are accurate, enhancing the value of monitoring data for security analysis and incident response.

Control 3.13.7 prohibits split tunneling for remote access connections, preventing remote devices from simultaneously connecting to organizational systems and external networks. This prohibition supports monitoring objectives by ensuring that all network traffic from remote users passes through organizational security controls where it can be inspected and logged. Split tunneling would create blind spots in monitoring by allowing users to access external resources without visibility.

Remote Access Monitoring Technologies and Tools

Virtual Private Network solutions with integrated logging capabilities provide a common foundation for remote access monitoring. Enterprise VPN platforms typically include features for logging connection events, enforcing access policies, and integrating with authentication systems. When selecting or configuring VPN solutions, organizations should verify that logging granularity meets control requirements and that logs can be exported to centralized management platforms for analysis.

Security Information and Event Management platforms aggregate logs from multiple sources including VPN gateways, remote desktop servers, and cloud access systems. SIEM tools enable correlation of remote access events with other security data, automated alerting based on defined rules, and long-term retention of log data for compliance and investigation purposes. Effective SIEM implementation requires configuring appropriate log sources, developing alert rules aligned with organizational risk, and establishing processes for investigating triggered alerts.

Privileged Access Management solutions provide enhanced monitoring and control for administrative remote sessions. PAM platforms typically offer session recording capabilities that capture the entire remote session including commands entered and screens viewed. This detailed recording enables forensic analysis of privileged activities and provides strong evidence that administrative access was used appropriately. PAM solutions also enforce approval workflows for privileged remote access and can automatically terminate sessions that exceed authorized durations.

Network Access Control systems complement remote access monitoring by verifying device compliance before permitting connections. NAC solutions can check whether remote devices have current antivirus signatures, required security patches, and approved configurations before allowing network access. Integration with monitoring platforms provides visibility into which devices are connecting remotely and enables policies that restrict access based on device health status.

Common Implementation Challenges and Solutions

Organizations frequently encounter challenges when implementing comprehensive remote access monitoring. Legacy remote access methods may lack adequate logging capabilities, requiring upgrades or replacement with modern solutions that support detailed session monitoring. When immediate replacement is not feasible, compensating controls such as enhanced network monitoring at access boundaries or mandatory approval processes for legacy remote access can provide interim risk reduction.

Log volume can become overwhelming when monitoring all remote access sessions, particularly in large organizations with extensive remote workforces. Organizations should implement log filtering and aggregation to focus attention on high-value events while retaining comprehensive records for compliance and investigation. Automated analysis and alerting reduce the burden on security operations teams by highlighting anomalous activities that warrant human investigation.

Remote access from mobile devices and diverse platforms complicates monitoring implementation. Organizations should establish standard remote access methods that support comprehensive logging rather than permitting users to employ personal or unmanaged remote access tools. For situations where diverse access methods are necessary, centralized authentication and gateway architectures ensure that monitoring can occur even when endpoints vary.

Balancing security monitoring with user privacy expectations requires clear communication and documented policies. Organizations should inform users that remote access sessions are monitored for security purposes and obtain acknowledgment of monitoring policies. This transparency addresses privacy concerns while establishing that monitoring is a condition of remote access authorization rather than covert surveillance.

Remote Access Monitoring in Cloud and Hybrid Environments

Cloud-based systems containing CUI require remote access monitoring even when those systems are not located on traditional organizational networks. Access to cloud infrastructure management consoles, cloud-hosted applications, and cloud storage systems must be treated as remote access subject to the same monitoring requirements as traditional VPN connections. Organizations should implement cloud access security broker solutions or utilize native cloud platform logging to capture session activities in cloud environments.

Hybrid environments with both on-premises and cloud resources present monitoring challenges because remote sessions may traverse multiple access points and management planes. Organizations should implement unified monitoring architectures that aggregate logs from all access methods into centralized analysis platforms. Identity and access management integration across hybrid environments enables consistent user tracking regardless of which systems are accessed during a remote session.

Software-as-a-Service applications accessed by remote users require evaluation to determine whether they contain CUI and therefore fall within the scope of remote access monitoring requirements. When SaaS applications do contain CUI, organizations must ensure that user access to those applications is logged and monitored. This may involve enabling enhanced logging features within SaaS platforms, implementing reverse proxy solutions that monitor SaaS access, or restricting SaaS access to occur only through monitored VPN connections.

Operational Processes for Effective Session Control

Documented procedures should establish how security operations personnel respond to alerts generated by remote access monitoring systems. Response procedures must define escalation criteria, investigation steps, and authorities for terminating suspicious remote sessions. Clear procedures enable consistent and timely response to potential security incidents involving remote access.

Periodic reviews of remote access permissions ensure that monitoring focuses on currently authorized users and that departed personnel or those who no longer require remote access have had their permissions revoked. Access reviews should verify that documented authorizations align with technical configurations and that users have not accumulated excessive remote access permissions over time.

Incident response plans must address scenarios involving compromised remote access credentials or malicious use of legitimate remote access. Response procedures should enable rapid termination of active sessions, analysis of logs to determine the scope of unauthorized activities, and evidence preservation for forensic investigation. Organizations should conduct tabletop exercises that include remote access compromise scenarios to verify that response procedures are effective and that personnel understand their roles.

Continuous improvement processes analyze monitoring data and security incidents to identify opportunities for enhancing remote access security. Metrics such as the frequency of remote access alerts, the proportion of alerts representing actual security issues versus false positives, and the time required to detect and respond to remote access incidents provide insights into monitoring effectiveness. Organizations should regularly review these metrics and adjust monitoring configurations and response processes to improve security outcomes.

Implementation Comparison Table

Implementation Aspect	Minimum Compliance	Enhanced Security	Key Differences
Session Logging	User ID, source IP, start and end times recorded	Full session recording with command logging and screen capture for privileged access	Enhanced approach enables detailed forensic analysis and verification of administrative activities
Monitoring Scope	VPN and RDP connections to systems with CUI logged	All remote access methods including cloud consoles, SSH, and third-party tools monitored centrally	Comprehensive scope eliminates blind spots from unmonitored access methods
Alert Configuration	Manual log review conducted periodically	Real-time automated alerts for suspicious patterns with 24/7 security operations center monitoring	Automated alerting enables immediate response to threats rather than delayed detection
Session Controls	Idle timeout configured at system default values	Risk-based timeout policies with session termination enforced at network layer, application layer, and endpoint	Multi-layer enforcement prevents bypass and ensures sessions terminate regardless of application behavior
Access Restrictions	Remote access permitted to authorized users based on documented policy	Just-in-time access provisioning requiring approval for each remote session with automatic revocation	Just-in-time approach limits exposure window and ensures access remains necessary throughout session duration

FAQ

What types of remote access sessions must be monitored under NIST 3.13.12?

All remote access sessions connecting to systems containing Controlled Unclassified Information must be monitored. This includes VPN connections, Remote Desktop Protocol sessions, Secure Shell sessions, cloud-based access to systems with CUI, and remote support or maintenance connections. The control applies regardless of whether users are employees, contractors, vendors, or managed service providers. Cloud-based email access, infrastructure management consoles, and SaaS applications containing CUI also fall within scope. Organizations must inventory all methods through which remote access occurs and implement monitoring for each pathway. The monitoring requirement applies to both interactive user sessions and automated processes that connect remotely to CUI systems.

What information should be logged for each remote access session?

Organizations should capture comprehensive session data including user identification, source IP address, session start and end times, systems or resources accessed, and commands executed for privileged sessions. Additional logging may include session duration, authentication methods used, data transfers, and any security alerts or anomalies detected during the session. For administrative remote access, detailed command logging or full session recording provides evidence of actions taken during privileged sessions. Logs must be retained for sufficient duration to support security investigations and compliance assessments. The specific retention period should align with organizational policy and regulatory requirements. Log data should be protected with access controls to prevent tampering and ensure authenticity when used as evidence during incident investigations or audits.

How does NIST 3.13.12 differ from other remote access controls?

NIST 3.13.12 focuses specifically on monitoring and controlling active sessions, while complementary controls address different aspects of remote access security. Control 3.1.13 requires encryption for remote sessions, control 3.1.14 mandates routing through managed access control points, control 3.5.3 requires multi-factor authentication, and control 3.13.7 prevents split tunneling. Together, these controls create a comprehensive remote access security framework. Organizations cannot achieve full remote access security by implementing only one control in isolation. For example, monitoring sessions without encryption would leave data vulnerable during transmission, while encryption without monitoring would create visibility gaps. Effective implementation requires addressing all related controls as an integrated system where each control reinforces and enables the others to provide defense in depth.

SC.L2-3.13.9[a]: Identify How Your Systems Use Encryption to Protect CUI at Rest

June 2, 2025

SC.L2-3.13.9[b]: Document How Your Systems Encrypt CUI at Rest

June 2, 2025

3.13.12: Monitor and Control Remote Sessions to Secure CUI Access

NIST 800-171 Control 3.13.12: Monitor and Control Remote Access Sessions to Secure CUI

Understanding the Scope and Requirements of Control 3.13.12

Implementation Steps for Monitoring Remote Access Sessions

Establishing Control Mechanisms for Remote Sessions

Compliance Evidence and Assessment Preparation

Integration with Complementary Security Controls

Remote Access Monitoring Technologies and Tools

Common Implementation Challenges and Solutions

Remote Access Monitoring in Cloud and Hybrid Environments

Operational Processes for Effective Session Control

Implementation Comparison Table

FAQ

What types of remote access sessions must be monitored under NIST 3.13.12?

What information should be logged for each remote access session?

How does NIST 3.13.12 differ from other remote access controls?

SC.L2-3.13.9[a]: Identify How Your Systems Use Encryption to Protect CUI at Rest

SC.L2-3.13.9[b]: Document How Your Systems Encrypt CUI at Rest

Get a 30-Minute Demo From a Cuick Trac Product Expert

Stay Updated. Stay Secure.

Quick Links

Guides

Resources

Socials

3.13.12: Monitor and Control Remote Sessions to Secure CUI Access

NIST 800-171 Control 3.13.12: Monitor and Control Remote Access Sessions to Secure CUI

Understanding the Scope and Requirements of Control 3.13.12

Implementation Steps for Monitoring Remote Access Sessions

Establishing Control Mechanisms for Remote Sessions

Compliance Evidence and Assessment Preparation

Integration with Complementary Security Controls

Remote Access Monitoring Technologies and Tools

Common Implementation Challenges and Solutions

Remote Access Monitoring in Cloud and Hybrid Environments

Operational Processes for Effective Session Control

Implementation Comparison Table

FAQ

What types of remote access sessions must be monitored under NIST 3.13.12?

What information should be logged for each remote access session?

How does NIST 3.13.12 differ from other remote access controls?

SC.L2-3.13.9[a]: Identify How Your Systems Use Encryption to Protect CUI at Rest

SC.L2-3.13.9[b]: Document How Your Systems Encrypt CUI at Rest

Stay Updated. Stay Secure.

🍪 We Use Cookies