We are looking to have our own unattended access remote tool for all our companies endpoints. I also would be the only technician that would have access.

This brings up the question/concern I have with these remote access tools which is what EXACTLY constitutes compliance ? We absolutely do NOT want to host anything ourselves, so if the service provider host it on their cloud, do they have to meet certain requirements, such as FedRAMP Moderate? What are tools that you use/recommend?

Looking through NIST 800-171 does not provide and obvious answer, so any documentation/answers to support what is needed would be greatly appreciated.

If you have already achieved CMMC compliance and you use a remote support tool, please explain what you did/what they were looking for during evaluation.

Thank you for taking the time to read this!