Limit information system access to authorized users; processes acting on behalf of authorized users; or devices (including other information systems).

• Access Control Policy and Procedures - 3.1.1

  Develop; document; and periodically update access control policy and procedures.

• Access Enforcement - 3.1.2

  Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

• Boundary Protection - 3.1.3

  Control the flow of CUI in accordance with approved authorizations.

• Publicly Accessible Content - 3.1.4

  Control information posted or processed on publicly accessible information systems.

• Wireless Access - 3.1.5

  Authorize wireless access prior to allowing connection to the information system.

• Remote Access - 3.1.6

  Control remote access using encrypted tunnels such as Virtual Private Networks (VPNs).

• Remote Access Monitoring - 3.1.7

  Monitor and control remote access sessions.

• Least Privilege - 3.1.8

  Employ the principle of least privilege; including for specific duties and timeframes.

• Password Management - 3.1.9

  Require the use of complex passwords for all privileged accounts.

• Password Management - 3.1.10

  Require the use of complex passwords for all non-privileged accounts.

• Password Management - 3.1.11

  Prohibit password reuse for a defined number of generations.

• Password Management - 3.1.12

  Store and transmit passwords using cryptographically sound techniques.

• Account Management - 3.1.13

  Limit unsuccessful logon attempts and take appropriate action.

• Authentication - 3.1.14

  Employ multi-factor authentication for local and network access to privileged accounts.

• Authentication - 3.1.15

  Employ multi-factor authentication for network access to non-privileged accounts.

• Account Management - 3.1.16

  Manage information system accounts; to include establishing; activating; modifying; disabling; and removing accounts.

• Account Termination - 3.1.17

  Terminate information system access of former employees within [Assignment: organization-defined time period].

• Session Lock - 3.1.18

  Monitor for inactivity and take action to prevent unauthorized use.

• Mobile Device Connection - 3.1.19

  Control connection of mobile devices.

Ensure that managers; system administrators; and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies; standards; and procedures related to the security of those systems.

• Security Awareness Training - 3.2.1

  Provide security awareness training to information system users (including managers; senior executives; and contractors) on recognizing and reporting potential indicators of insider threats.

• Annual Security Awareness Training - 3.2.2

  Ensure that personnel receive adequate security awareness training at least annually.

Create; protect; and retain information system audit records to the extent needed to enable the monitoring; analysis; investigation; and reporting of unlawful; unauthorized; or inappropriate information system activity.

• Audit Logging - 3.3.1

  Create; protect; and retain information system audit records to the extent needed to enable the monitoring; analysis; investigation; and reporting of unlawful; unauthorized; or inappropriate information system activity.

• User Accountability - 3.3.2

  Ensure that the actions of individual information system users can be uniquely traced to those users.

• Audit Record Retention - 3.3.3

  Retain audit records for [Assignment: organization-defined time period].

• Audit Analysis - 3.3.4

  Provide audit record reduction and summarization tools.

• Audit Record Protection - 3.3.5

  Protect audit information and audit logging tools from unauthorized access; modification; and deletion.

Establish and maintain baseline configurations and inventories of organizational information systems (including hardware; software; firmware; and documentation) throughout the system development life cycle.

• Baseline Configuration - 3.4.1

  Establish and maintain baseline configurations and inventories of organizational information systems (including hardware; software; firmware; and documentation) throughout the system development life cycle.

• Security Configuration - 3.4.2

  Establish and enforce security configuration settings for all components of the information system consistent with applicable security policies; standards; and procedures.

• Security Configuration Benchmarks - 3.4.3

  Apply security configuration benchmarks to establish and maintain the security configuration of information system components.

• Change Control - 3.4.4

  Track; review; approve; and disapprove changes to information systems.

• Security Impact Analysis - 3.4.5

  Analyze the security impact of changes prior to implementation.

• Access Restrictions for Changes - 3.4.6

  Define; document; and enforce physical and logical access restrictions associated with changes to the information system.

• Configuration Management Tools - 3.4.7

  Employ configuration management tools to maintain and control hardware; software; firmware; and documentation.

• Configuration Monitoring - 3.4.8

  Monitor configuration changes to the information system on an ongoing basis.

Identify information system users; processes acting on behalf of users; or devices.

• User Identification - 3.5.1

  Identify information system users; processes acting on behalf of users; or devices.

• User Authentication - 3.5.2

  Authenticate (or verify) the identities of those users; processes; or devices; as a prerequisite to allowing access to organizational information systems.

• Credential Strength - 3.5.3

  Use identifier authentication credentials that are commensurate with the risk and potential impact of unauthorized access.

Establish an operational incident-handling capability for organizational information systems that includes adequate preparation; detection; analysis; containment; recovery; and user response activities.

• Incident Response Plan - 3.6.1

  Establish an operational incident-handling capability for organizational information systems that includes adequate preparation; detection; analysis; containment; recovery; and user response activities.

• Incident Response Plan Development - 3.6.2

  Develop and implement an incident response plan.

• Incident Response Plan Testing - 3.6.3

  Test the organizational incident response plan.

• Incident Handling Process - 3.6.4

  Establish; maintain; and use a process for tracking; documenting; and reporting information security incidents.

Perform maintenance on organizational information systems.

• System Maintenance - 3.7.1

  Perform maintenance on organizational information systems.

• Qualified Personnel - 3.7.2

  Provide trained and qualified personnel for conducting information system maintenance.

• Maintenance Supervision - 3.7.3

  Supervise the activities of maintenance personnel.

• Maintenance Records - 3.7.4

  Maintain a record of maintenance activities.

• Control of Maintenance Tools - 3.7.5

  Control maintenance tools.

• Malicious Code Check - 3.7.6

  Check media containing diagnostic and test programs for malicious code before the media are used in the information system.

Protect information system media containing CUI at rest.

• Media Protection at Rest - 3.8.1

  Protect information system media containing CUI at rest.

• Media Access Control - 3.8.2

  Limit access to CUI on information system media to authorized users.

• Removable Media Control - 3.8.3

  Control the use of removable media on organizational information systems.

• Media Sanitization/Destruction - 3.8.4

  Sanitize or destroy information system media containing CUI before disposal or release for reuse.

Screen individuals prior to granting access to the information system.

• Personnel Screening - 3.9.1

  Screen individuals prior to granting access to the information system.

• Security Responsibilities Awareness - 3.9.2

  Ensure that organizational personnel are aware of their security responsibilities.

• Access Termination Procedures - 3.9.3

  Establish and implement procedures for the termination of individual access to the information system.

Limit physical access to the information system; equipment within the facility; and support infrastructure to authorized individuals.

• Physical Access Control - 3.10.1

  Limit physical access to the information system; equipment within the facility; and support infrastructure to authorized individuals.

• Physical Security Safeguards - 3.10.2

  Establish physical security safeguards for the facility and perimeter.

• Physical Access Monitoring - 3.10.3

  Control and monitor physical access to the facility.

• Physical Access Audit Logs - 3.10.4

  Maintain audit logs of physical access attempts and failures.

• Visitor Control - 3.10.5

  Control and monitor visitor access to the facility.

• Environmental Controls - 3.10.6

  Protect the facility and its information systems from environmental hazards.

• Alternate Work Site - 3.10.7

  Provide alternate work sites to support continuation of operations in the event of a disaster or other emergency.

Periodically assess the risk to organizational operations (including mission; functions; image; or reputation); organizational assets; and individuals; resulting from the operation of organizational information systems and the associated processing; storage; or transmission of CUI.

• Risk Assessment - 3.11.1

  Periodically assess the risk to organizational operations (including mission; functions; image; or reputation); organizational assets; and individuals; resulting from the operation of organizational information systems and the associated processing; storage; or transmission of CUI.

• Vulnerability Scanning - 3.11.2

  Scan for vulnerabilities in organizational information systems and applications periodically and when new vulnerabilities affecting the system are identified.

• Vulnerability Remediation - 3.11.3

  Remediate vulnerabilities in accordance with risk assessments.

Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

• Security Assessments - 3.12.1

  Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

• Plan of Action and Milestones - 3.12.2

  Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

• Security Control Monitoring - 3.12.3

  Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Monitor; control; and protect organizational communications (i.e.; information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information system.

• Boundary Protection - 3.13.1

  Monitor; control; and protect organizational communications (i.e.; information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information system.

• System Isolation - 3.13.2

  Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

• Cryptographic Protection - 3.13.3

  Employ cryptographic mechanisms to protect the confidentiality of CUI at rest.

• Cryptographic Protection - 3.13.4

  Employ cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.

• Firewall Implementation - 3.13.5

  Implement firewalls at organizational connections to external networks.

• Denial of Service Protection - 3.13.6

  Implement denial of service protection.

• Malicious Code Protection - 3.13.7

  Monitor and control organizational communications at external boundaries to prevent and detect malicious code.

• Spam Protection - 3.13.8

  Employ spam protection mechanisms at information system entry and exit points.

• Malicious Code Protection Updates - 3.13.9

  Update malicious code protection mechanisms when new releases are available.

• Traffic Flow Control - 3.13.10

  Control the flow of organizational traffic into and out of the information system.

• Portable Storage Device Restriction - 3.13.11

  Implement a policy that restricts the use of organization-controlled portable storage devices with external information systems.

Identify; report; and correct information and information system flaws in a timely manner.

• Flaw Remediation - 3.14.1

  Identify; report; and correct information and information system flaws in a timely manner.

• Malicious Code Protection - 3.14.2

  Protect against malicious code at appropriate locations within organizational information systems.

• Malicious Code Protection Updates - 3.14.3

  Update malicious code protection mechanisms when new releases are available.

• Information System Monitoring - 3.14.4

  Perform periodic scans of the information system and real-time scans of files downloaded from external sources.

• Unauthorized Changes Monitoring - 3.14.5

  Monitor organizational systems for unauthorized changes to software; firmware; and hardware.

• Software and Firmware Integrity - 3.14.6

  Employ software and firmware integrity checks.