Content type
Reference
323 items across the GovConCyber reference layer carry this topic.
Guides & research
- Cybersecurity Compliance Tools
- Cybersecurity Self-Assessment Checklists
- Healthcare Government Contractor Cybersecurity Requirements
- Cybersecurity Statutes for Federal Contractors
- Privacy Policy
- Terms of Use
- Cybersecurity Requirements by Industry
- Legal Disclaimer
- Agency-Specific Cybersecurity Requirements
- Advisory
- Speaking
- The GovConCyber Newsletter
- State Cybersecurity Laws for Federal Contractors
- How to Build a GovCon Cybersecurity Program
- About GovConCyber
- FAR Baseline
- Contact GovConCyber
- GovConCyber Compliance Toolkit
- Defense Contractor Cybersecurity Requirements
- Financial Services Government Contractor Cyber Requirements
- Education Government Contractor Cybersecurity Requirements
- Energy Sector Government Contractor Cyber Requirements
- Federal Cybersecurity Requirements for Contractors
- Cybersecurity Frameworks
Requirements
- Limit System Access to Authorized Users
- Use Session Lock
- Terminate Sessions
- Monitor and Control Remote Access
- Protect Remote Access with Cryptography
- Route Remote Access Through Managed Control Points
- Authorize Remote Privileged Access
- Authorize Wireless Access
- Protect Wireless Access
- Control Connection of Mobile Devices
- Encrypt CUI on Mobile Devices
- Limit Access to Permitted Transactions and Functions
- Control Connections to External Systems
- Limit Portable Storage on External Systems
- Control CUI on Publicly Accessible Systems
- Control the Flow of CUI
- Separate Duties of Individuals
- Employ the Principle of Least Privilege
- Use Non-Privileged Accounts for Nonsecurity Functions
- Restrict and Audit Privileged Functions
- Limit Unsuccessful Logon Attempts
- Provide Privacy and Security Notices
- Limit Physical Access
- Protect and Monitor the Facility
- Escort and Monitor Visitors
- Maintain Physical Access Logs
- Control Physical Access Devices
- Safeguard CUI at Alternate Work Sites
- Periodically Assess Risk
- Scan for Vulnerabilities
- Remediate Vulnerabilities by Risk
- Periodically Assess Security Controls
- Develop Plans of Action (POA&M)
- Continuously Monitor Controls
- Maintain a System Security Plan
- Protect Communications at Boundaries
- Manage Cryptographic Keys
- Use FIPS-Validated Cryptography
- Control Collaborative Computing Devices
- Control Mobile Code
- Control VoIP
- Protect Authenticity of Sessions
- Protect Confidentiality of CUI at Rest
- Use Secure Engineering Principles
- Separate User and Management Functions
- Prevent Information Transfer via Shared Resources
- Implement DMZ Subnetworks
- Deny by Default at Boundaries
- Prevent Split Tunneling
- Encrypt CUI in Transmission
- Terminate Network Connections
- Identify and Correct Flaws Timely
- Provide Malicious Code Protection
- Monitor Security Alerts and Advisories
- Update Malicious Code Protection
- Perform Periodic and Real-Time Scans
- Monitor Systems for Attacks
- Identify Unauthorized Use
- Provide Security Awareness
- Train Personnel for Their Security Duties
- Train on Insider Threat Indicators
- Create and Retain Audit Logs
- Ensure Actions Are Traceable to Users
- Review and Update Logged Events
- Alert on Audit Logging Failure
- Correlate Audit Review and Analysis
- Provide Audit Reduction and Reporting
- Synchronize System Clocks
- Protect Audit Information and Tools
- Limit Management of Audit Functionality
- Establish Baseline Configurations and Inventory
- Enforce Security Configuration Settings
- Track and Approve Changes
- Analyze Security Impact of Changes
- Restrict Access for Changes
- Employ Least Functionality
- Restrict Nonessential Programs and Services
- Apply Allow/Deny Software Policy
- Control User-Installed Software
- Identify Users, Processes, and Devices
- Protect Stored and Transmitted Passwords
- Obscure Authentication Feedback
- Authenticate Users, Processes, and Devices
- Use Multifactor Authentication
- Use Replay-Resistant Authentication
- Prevent Reuse of Identifiers
- Disable Inactive Identifiers
- Enforce Password Complexity
- Prohibit Password Reuse
- Require Immediate Change of Temporary Passwords
- Establish an Incident-Handling Capability
- Track and Report Incidents
- Test Incident Response
- Perform System Maintenance
- Control Maintenance Tools and Personnel
- Sanitize Equipment Removed for Maintenance
- Check Maintenance Media for Malicious Code
- Require MFA for Nonlocal Maintenance
- Supervise Unauthorized Maintenance Personnel
- Protect System Media Containing CUI
- Limit Access to CUI on Media
- Sanitize or Destroy Media Before Disposal
- Mark Media with CUI Markings
- Account for Media During Transport
- Encrypt CUI on Media in Transport
- Control Use of Removable Media
- Prohibit Media with No Identifiable Owner
- Protect Confidentiality of Backups
- Screen Individuals Before Access
- Protect CUI During Personnel Actions
- Report Covered Cyber Incidents and Ransom Payments to CISA
- Cyber Threat Indicator Sharing (Voluntary)
- Safeguard Criminal Justice Information (CJIS Security Policy)
- Obtain and Maintain CMMC Certification at the Required Level
- Protect Bank Secrecy Act / FinCEN Information
- Protect Critical Energy/Electric Infrastructure Information
- Protect Criminal History Records Information
- Protect Controlled Technical Information
- Protect Chemical-Terrorism Vulnerability Information
- Decontrol CUI When Safeguarding Is No Longer Required
- Destroy CUI Using Approved Methods
- Apply Limited Dissemination Controls and Lawful Government Purpose
- Comply With Export Controls for CUI (EAR/ITAR)
- Use FedRAMP-Authorized Cloud for CUI (DoD: FedRAMP-Moderate Equivalent)
- Protect Student Records
- Flow Down CUI Safeguarding Requirements to Subcontractors
- Protect Health Information CUI
- Identify and Categorize CUI Using the CUI Registry
- Report Loss or Compromise of CUI
- Apply CUI Markings (Banner, Portion, Category, and Limited Dissemination)
- Protect CUI on Nonfederal Systems per NIST SP 800-171
- Apply Enhanced Safeguards for High-Value CUI (APT)
- Protect Protected Critical Infrastructure Information
- Protect Proprietary Business Information / Trade Secrets
- Protect Privacy CUI and Sensitive PII
- Safeguard CUI at the 32 CFR 2002 Baseline
- Protect Nuclear Safeguards Information
- Apply Category-Specific (CUI Specified) Handling Controls
- Protect Source Selection and Procurement-Sensitive Information
- Protect Sensitive Security Information
- Protect Federal Taxpayer Information
- Provide CUI Awareness Training to the Workforce
- Protect Unclassified Controlled Nuclear Information
- Protect Water-System Risk and Resilience Assessments
- Report Cyber Incidents to DoD Within 72 Hours
- Address EU Cybersecurity Act Certification
- Obtain and Maintain a FedRAMP Authorization
- Implement GDPR Article 32 Security of Processing
- Notify GDPR Personal-Data Breaches Within 72 Hours
- Maintain a GLBA Safeguards-Rule Information Security Program
Showing the first 150. More items carry this topic.
Federal statutes
- OPEN Government Data Act
- Cybersecurity Enhancement Act of 2014
- FedRAMP Authorization Act
- False Claims Act
- Government in the Sunshine Act
- Advancing American AI Act
- USA FREEDOM Act of 2015
- Implementing Recommendations of the 9/11 Commission Act of 2007
- Critical Infrastructure Information Act of 2002
- Identity Theft and Assumption Deterrence Act of 1998
- Stevenson-Wydler Technology Innovation Act of 1980
- Health Insurance Portability and Accountability Act of 1996
- Communications Assistance for Law Enforcement Act
- E-Government Act of 2002
- Creating Advanced Streamlined Electronic Services for Constituents Act
- Information Quality Act
- Infrastructure Investment and Jobs Act
- Federal Information Technology Acquisition Reform Act
- Aviation and Transportation Security Act / SSI Regulations
- IT Modernization Centers of Excellence Program Act
- Computer Abuse Amendments Act of 1994
- AI in Government Act of 2020
- Federal Property and Administrative Services Act of 1949
- VA MISSION Act of 2018
- Electronic Freedom of Information Act of 1996
- Cyber Security Enhancement Act of 2002
- Health Information Technology for Economic and Clinical Health Act of 2009
- Telephone Records and Privacy Protection Act of 2006
- Driver's Privacy Protection Act of 1994
- Federal Information Security Modernization Act of 2014
- Paperwork Reduction Act of 1995
- Social Security Number Fraud Prevention Act of 2017
- Family Educational Rights and Privacy Act of 1974
- Justice System Improvement Act of 1979
- National Artificial Intelligence Initiative Act of 2020
- Right to Financial Privacy Act of 1978
- Homeland Security Act of 2002
- State and Local Government Cybersecurity Improvement Act
- Gramm-Leach-Bliley Act
- Telecommunications Act of 1996
- Computer Fraud and Abuse Act of 1986
- Homeland Security Information Sharing Act
- ADA Amendments Act of 2008
- Children's Online Privacy Protection Act of 1998
- Confidential Information Protection and Statistical Efficiency Act of 2018
- National Aeronautics and Space Administration Transition Authorization Act of 2017
- National Security Act of 1947
- Defending the Integrity of Voting Systems Act
- Consolidated Appropriations Act of 2005
- Freedom of Information Act
- Economic Espionage Act of 1996
- Electronic Communications Privacy Act of 1986
- FOIA Improvement Act of 2016
- Internet of Things Cybersecurity Improvement Act of 2020
- Paperwork Reduction Act of 1980
- Atomic Energy Act
- Communications Act of 1934
- No Electronic Theft Act
- Telephone Consumer Protection Act of 1991
- Intelligence Reform and Terrorism Prevention Act of 2004
- SECURE Technology Act
- Cyber Incident Reporting for Critical Infrastructure Act of 2022
- Currency and Foreign Transactions Reporting Act of 1970
- Computer Security Act of 1987
- Information Technology Management Reform Act of 1996
- Cybersecurity Act of 2015
- Title 13 U.S. Code
- Digital Millennium Copyright Act
- Defend Trade Secrets Act of 2016
- Cyber Response and Recovery Act
- Digital Accountability and Transparency Act of 2014
- Federal Trade Commission Act
- USA PATRIOT Act of 2001
- Veterans Benefits, Health Care, and Information Technology Act of 2006
- Clinger-Cohen Act of 1996
- Fair Credit Reporting Act
- Sarbanes-Oxley Act of 2002
- National Technology Transfer and Advancement Act of 1995
- Federal Information Security Management Act of 2002
- Proposed FAR CUI Rule
- Controlled Unclassified Information (implementing rule)
- NIST Special Publication 800-171
- CMMC Acquisition Rule
- Export Administration Regulations / Arms Export Control Act
- Safeguarding Covered Defense Information and Cyber Incident Reporting
- Assessing Contractor Implementation of Cybersecurity Requirements
- National Industrial Security Program (NISPOM Rule)
- Executive Order 13556, Controlled Unclassified Information
- Privacy Act of 1974
- Cybersecurity Maturity Model Certification Program
- Internal Revenue Code 6103 (Confidentiality of Returns)
- FAR Basic Safeguarding of Covered Contractor Information Systems
- NIST Special Publication 800-172
- Export Control Reform Act of 2018
- Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019
- International Emergency Economic Powers Act
- Defense Production Act of 1950, Section 721 (as amended by the Foreign Investment Risk Review Modernization Act of 2018)
State requirements
- Arizona — state requirements
- Delaware — state requirements
- Arkansas — state requirements
- Colorado — state requirements
- Kansas — state requirements
- Georgia — state requirements
- Maine — state requirements
- Michigan — state requirements
- District of Columbia — state requirements
- Tennessee — state requirements
- Louisiana — state requirements
- Illinois — state requirements
- Indiana — state requirements
- New York — state requirements
- Minnesota — state requirements
- Montana — state requirements
- Nebraska — state requirements
- Virginia — state requirements
- Nevada — state requirements
- New Jersey — state requirements
- Alabama — state requirements
- New Mexico — state requirements
- Hawaii — state requirements
- North Carolina — state requirements
- North Dakota — state requirements
- Kentucky — state requirements
- Ohio — state requirements
- Oklahoma — state requirements
- Maryland — state requirements
- Oregon — state requirements
- Pennsylvania — state requirements
- Puerto Rico — state requirements
- Rhode Island — state requirements
- Alaska — state requirements
- Iowa — state requirements
- South Carolina — state requirements
- South Dakota — state requirements
- Texas — state requirements
- Utah — state requirements
- Vermont — state requirements
- Washington — state requirements
- Wisconsin — state requirements
- Wyoming — state requirements
- Florida — state requirements
- Missouri — state requirements
- California — state requirements
- New Hampshire — state requirements
- Connecticut — state requirements
- Mississippi — state requirements
- Idaho — state requirements
- West Virginia — state requirements
- Massachusetts — state requirements