3.1.1 Limit system access to authorized users, processes acting on behalf of users, and devices

3.1.2 Limit system access to the types of transactions and functions permitted

3.1.3 Control the flow of Controlled Unclassified Information (CUI) between systems and processes

3.1.4 Separate duties of individuals as needed to reduce risk of malevolent activity

3.1.5 Employ the principle of least privilege (only the minimum necessary rights)

3.1.6 Use non-privileged accounts for non-security functions

3.1.7 Prevent non-privileged users from executing privileged functions, and capture audit logs for privileged access

3.1.8 Limit unsuccessful login attempts

3.1.9 Provide privacy and security notices consistent with applicable requirements for CUI

3.1.10 Use session lock or hiding of display after inactivity

3.1.11 Automatically terminate user sessions after defined periods or conditions

3.1.12 Monitor and control remote access sessions

3.1.13 Protect confidentiality of remote access sessions via cryptography

3.1.14 Route remote access through managed access control points

3.1.15 Authorize remote execution of privileged functions and access to security-relevant data

3.1.16 Authorize wireless access before granting connections

3.1.17 Use authentication and encryption for wireless access

3.1.18 Control mobile device connections

3.1.19 Encrypt CUI on mobile devices

3.1.20 Monitor and control communications with external systems

3.1.21 Limit use of portable storage devices for external systems

3.1.22 Control processing or storage of CUI on publicly accessible systems

3.2.1 Ensure all users are aware of security policies, procedures, and risks

3.2.2 Train personnel in their security responsibilities

3.2.3 Provide role-based training and awareness to detect and report threats.

3.3.1 Create and retain system audit logs sufficient to track user actions

3.3.2 Ensure that the identity of users is linked to audit logs

3.3.3 Notify appropriate personnel when audit log capacity is reached or logging fails

3.3.4 Review and analyze audit logs for indications of inappropriate or unusual activity

3.3.5 Report findings from log reviews to designated personnel

3.3.6 Provide audit log reduction, report generation, and analysis tools

3.3.7 Synchronize system clocks to an authoritative source

3.3.8 Protect audit logs from unauthorized modification or deletion

3.3.9 Limit access to audit logs to authorized individuals.

3.4.1 Establish and maintain baseline configurations and inventories.

3.4.2 Enforce security configurations for information systems.

3.4.3 Track, review, and approve changes to configurations.

3.4.4 Analyze the security impact of changes before implementation.

3.4.5 Restrict access for changes to configurations

3.4.6 Configure systems with minimal functionality (only necessary services)

3.4.7 Disable or remove unnecessary services, programs, and ports.

3.4.8 Employ whitelisting or blacklisting of software applications.

3.4.9 Control installation of user-installed software.

3.5.1 Uniquely identify users, devices, and processes.

3.5.2 Authenticate (or verify) identities.

3.5.3 Use multi-factor authentication for local and network access to privileged accounts.

3.5.4 Use multi-factor authentication for non-privileged access, if feasible.

3.5.5 Employ replay-resistant authentication mechanisms.

3.5.6 Manage identifiers and authenticator lifecycle (issuance, disabling, revocation).

3.5.7 Protect authenticator confidentiality and integrity.

3.5.8 Store authenticators using secure techniques.

3.5.9 Allow users to change and reset authenticators securely.

3.5.10 Verify identity before resetting authenticator.

3.5.11 Terminate sessions or re-authenticate when needed.

3.6.1 Establish an incident response capability (plans, roles, procedures).

3.6.2 Track, document, and report incidents to appropriate authorities.

3.6.3 Test incident response capability regularly.

3.7.1 Perform maintenance on organizational systems.

3.7.2 Provide appropriate tools, techniques, and oversight for maintenance.

3.7.3 Approve, schedule, and coordinate maintenance activities.

3.7.4 Log maintenance activities.

3.7.5 Conduct remote maintenance in a secure manner.

3.7.6 Sanitize and securely transport maintenance tools and equipment.

3.8.1 Protect media containing CUI during transport, use, storage.

3.8.2 Limit access to system media.

3.8.3 Sanitize or destroy media before reuse or disposal.

3.8.4 Mark and label media with CUI handling designations.

3.8.5 Control the use of removable media.

3.8.6 Protect backup media.

3.9.1 Limit physical access to systems and facilities.

3.9.2 Protect physical equipment from environmental hazards.

3.9.3 Monitor and control physical access.

3.9.4 Escort visitors and control their access.

3.9.5 Maintain visitor logs.

3.9.6 Control and manage physical access devices (locks, biometrics, keys).

3.9.7 Protect power and water supply systems.

3.10.1 Screen individuals prior to authorizing access to systems containing CUI

3.10.2 Revoke access rights when personnel are terminated or transferred

3.11.1 Periodically assess risk from threats and vulnerabilities

3.11.2 Scan for vulnerabilities in organizational systems

3.11.3 Remediate vulnerabilities according to risk

3.12.1 Periodically assess security controls to ensure they are effective

3.12.2 Monitor security controls on an ongoing basis

3.12.3 Develop, document, and implement plans to correct deficiencies

3.12.4 Ensure that system security plans remain current

3.13.1 Monitor, control, and protect communications (e.g. internal networks, external networks)

3.13.2 Employ boundary protections (firewalls, gateways)

3.13.3 Partition systems (e.g. subnetting, VLANs)

3.13.4 Prevent unauthorized information transfer (e.g. filtering, proxies)

3.13.5 Use cryptographic mechanisms to protect CUI in transit

3.13.6 Use cryptography to protect CUI at rest (when needed)

3.13.7 Provide message integrity, replay protection, and sequence validation

3.13.8 Protect communication sessions (e.g. encrypt, authenticate)

3.13.9 Terminate or restrict communications not in use

3.13.10 Use domain name system (DNS) protections

3.13.11 Secure session connections

3.13.12 Prevent split tunneling for virtual private networks

3.13.13 Use email protection (e.g. signing, encryption)

3.13.14 Protect voice over IP (VoIP)

3.13.15 Provide collaborative computing protections

3.13.16 Provide denial-of-service protection

3.14.1 Identify, report, and correct system flaws in a timely manner

3.14.2 Provide protection from malicious code (anti-malware)

3.14.3 Monitor system security alerts and advisories

3.14.4 Perform periodic scans to detect unauthorized changes or malware

3.14.5 Update system components (patch management)

3.14.6 Monitor network traffic and detect anomalies

3.14.7 Employ integrity checks, error detection, or other mechanisms to validate information