In Episode 14 of my NIST SP 800-53 Rev. 5 Access Control series, I break down AC-17 (Remote Access) and simplify what the control is really asking you to do. Remote access is a huge enabler for off-site workers and travel, but the whole point of AC-17 is making sure only authorized remote connections occur—and only to the authorized organizational network and components. I walk through the exact control requirements: (a) establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each remote access type you allow, and (b) authorize each remote access type before you allow it. I also clear up a common confusion: VPN vs RDP. A VPN is an encrypted tunnel into the network, and once you’re authenticated through the VPN, that access is treated as local—not remote access. RDP, on the other hand, is remote access to a specific device on the network. I talk about security and monitoring tradeoffs too—encrypted VPNs help confidentiality and integrity, but they can impact performance and make monitoring traffic harder. Finally, I cover how I assess/test AC-17 during an SCA or during continuous monitoring/ongoing authorization. I examine the access control policy/procedures (AC-1), the SSP, the authorized user list, usage restrictions, logs, and—when permitted—attempt a remote connection to validate the process. I also emphasize least privilege and the need for documented approval (even a ticket with a signature/authorization) for who can remotely access what.