Remote Access is covered by sub-requirements of requirement 1 (firewall) and requirement 8 (authentication), but I prefer managing them together.
A personal firewall is required for mobile device (not in a fixed location) that may connect remotely to the network or to a network not controlled by the organization. The goal of this requirement is to protect such devices when they may be connected to a more hostile network environment not controlled by the organization, such as an cafe or airport (or even some home networks). In such networks, malware is often lurking, just waiting for targets to exploit. Jeff Man argues that personal firewall belongs in requirement 2 (hardening) which is another way to look at this.
Two-factor authentication is included in requirement 8 (authentication), but it makes sense to tie it here. Any remote access (user, administrator, vendor, etc.) that can interact with the CDE in some way, shape or form, can be seen as 'breaching' the CDE 'bubble' (or isolation). This added level in risk is compensated by that second factor which means that two of the following must be used to confirm the user's identity:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric.
Remember that you must use 2 different categories, as two of the same category (say a password and a PIN) are still considered a single factor (used twice).
The goal of authentication is to tie every action back to an individual user; any factor (password, token, certificate, etc.) must be tied to an individual and CANNOT be shared between multiple users.