The core requirement of practice AC.L2-3.1.14 is to ensure that all remote connections are channeled through specific, managed, and controlled entry points before accessing the internal network where CUI resides. This prevents unauthorized or unmanaged pathways into the secure environment. The assessment objective for this practice, as defined by the CMMC Level 2 Assessment Guide, is to determine if the organization has (a) identified, (b) implemented, and (c) routed remote access through these managed access control points. Option B is the only choice that comprehensively covers all three of these essential determination criteria for the practice.

A. The contractor manages access control points: This is only one part of the requirement. The practice also requires that these points are identified and that all remote traffic is actively routed through them.

C. All remote access is monitored: While monitoring is a good security practice often implemented at access control points, it is a separate requirement covered by the Audit and Accountability (AU) domain, not AC.L2-3.1.14.

D. All users are authenticated before being granted remote access: Authentication is a fundamental security principle but is addressed by other practices, such as those in the Identification and Authentication (IA) domain (e.g., IA.L1-3.5.2).

1. Cybersecurity Maturity Model Certification (CMMC) CMMC Level 2 Assessment Guide, Version 2.0 (December 2021).

Reference: Page 31, Practice AC.L2-3.1.14, Assessment Objectives.

Content: The guide explicitly lists the assessment objectives as: "[a] managed access control points are identified; [b] managed access control points are implemented; and [c] remote access is routed through the managed network access control points." This directly corresponds to the correct answer.

2. NIST Special Publication (SP) 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Reference: Page 17, Section 3.1, Control 3.1.14.

Content: The control states, "Route remote access through managed access control points." The discussion clarifies that these points (e.g., firewalls, VPN gateways) are used to direct traffic flow and protect internal networks, reinforcing the focus on routing and management.

3. NIST Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information.

Reference: Page 2-21, Control 3.1.14, Assessment Objectives.

Content: This document, which provides the methodology for assessing NIST SP 800-171 controls, lists the objectives for this control as determining if "managed access control points are identified" and "remote access is routed through the managed access control points," which aligns with the CMMC guide and the correct answer.