Framework
NIST SP 800-171
146 items across the GovConCyber reference layer carry this topic.
Requirements
- Limit System Access to Authorized Users
- Use Session Lock
- Terminate Sessions
- Monitor and Control Remote Access
- Protect Remote Access with Cryptography
- Route Remote Access Through Managed Control Points
- Authorize Remote Privileged Access
- Authorize Wireless Access
- Protect Wireless Access
- Control Connection of Mobile Devices
- Encrypt CUI on Mobile Devices
- Limit Access to Permitted Transactions and Functions
- Control Connections to External Systems
- Limit Portable Storage on External Systems
- Control CUI on Publicly Accessible Systems
- Control the Flow of CUI
- Separate Duties of Individuals
- Employ the Principle of Least Privilege
- Use Non-Privileged Accounts for Nonsecurity Functions
- Restrict and Audit Privileged Functions
- Limit Unsuccessful Logon Attempts
- Provide Privacy and Security Notices
- Limit Physical Access
- Protect and Monitor the Facility
- Escort and Monitor Visitors
- Maintain Physical Access Logs
- Control Physical Access Devices
- Safeguard CUI at Alternate Work Sites
- Periodically Assess Risk
- Scan for Vulnerabilities
- Remediate Vulnerabilities by Risk
- Periodically Assess Security Controls
- Develop Plans of Action (POA&M)
- Continuously Monitor Controls
- Maintain a System Security Plan
- Protect Communications at Boundaries
- Manage Cryptographic Keys
- Use FIPS-Validated Cryptography
- Control Collaborative Computing Devices
- Control Mobile Code
- Control VoIP
- Protect Authenticity of Sessions
- Protect Confidentiality of CUI at Rest
- Use Secure Engineering Principles
- Separate User and Management Functions
- Prevent Information Transfer via Shared Resources
- Implement DMZ Subnetworks
- Deny by Default at Boundaries
- Prevent Split Tunneling
- Encrypt CUI in Transmission
- Terminate Network Connections
- Identify and Correct Flaws Timely
- Provide Malicious Code Protection
- Monitor Security Alerts and Advisories
- Update Malicious Code Protection
- Perform Periodic and Real-Time Scans
- Monitor Systems for Attacks
- Identify Unauthorized Use
- Provide Security Awareness
- Train Personnel for Their Security Duties
- Train on Insider Threat Indicators
- Create and Retain Audit Logs
- Ensure Actions Are Traceable to Users
- Review and Update Logged Events
- Alert on Audit Logging Failure
- Correlate Audit Review and Analysis
- Provide Audit Reduction and Reporting
- Synchronize System Clocks
- Protect Audit Information and Tools
- Limit Management of Audit Functionality
- Establish Baseline Configurations and Inventory
- Enforce Security Configuration Settings
- Track and Approve Changes
- Analyze Security Impact of Changes
- Restrict Access for Changes
- Employ Least Functionality
- Restrict Nonessential Programs and Services
- Apply Allow/Deny Software Policy
- Control User-Installed Software
- Identify Users, Processes, and Devices
- Protect Stored and Transmitted Passwords
- Obscure Authentication Feedback
- Authenticate Users, Processes, and Devices
- Use Multifactor Authentication
- Use Replay-Resistant Authentication
- Prevent Reuse of Identifiers
- Disable Inactive Identifiers
- Enforce Password Complexity
- Prohibit Password Reuse
- Require Immediate Change of Temporary Passwords
- Establish an Incident-Handling Capability
- Track and Report Incidents
- Test Incident Response
- Perform System Maintenance
- Control Maintenance Tools and Personnel
- Sanitize Equipment Removed for Maintenance
- Check Maintenance Media for Malicious Code
- Require MFA for Nonlocal Maintenance
- Supervise Unauthorized Maintenance Personnel
- Protect System Media Containing CUI
- Limit Access to CUI on Media
- Sanitize or Destroy Media Before Disposal
- Mark Media with CUI Markings
- Account for Media During Transport
- Encrypt CUI on Media in Transport
- Control Use of Removable Media
- Prohibit Media with No Identifiable Owner
- Protect Confidentiality of Backups
- Screen Individuals Before Access
- Protect CUI During Personnel Actions
- Obtain and Maintain CMMC Certification at the Required Level
- Protect Bank Secrecy Act / FinCEN Information
- Protect Critical Energy/Electric Infrastructure Information
- Protect Criminal History Records Information
- Protect Controlled Technical Information
- Protect Chemical-Terrorism Vulnerability Information
- Decontrol CUI When Safeguarding Is No Longer Required
- Destroy CUI Using Approved Methods
- Apply Limited Dissemination Controls and Lawful Government Purpose
- Comply With Export Controls for CUI (EAR/ITAR)
- Use FedRAMP-Authorized Cloud for CUI (DoD: FedRAMP-Moderate Equivalent)
- Protect Student Records
- Flow Down CUI Safeguarding Requirements to Subcontractors
- Protect Health Information CUI
- Identify and Categorize CUI Using the CUI Registry
- Report Loss or Compromise of CUI
- Apply CUI Markings (Banner, Portion, Category, and Limited Dissemination)
- Protect CUI on Nonfederal Systems per NIST SP 800-171
- Apply Enhanced Safeguards for High-Value CUI (APT)
- Protect Protected Critical Infrastructure Information
- Protect Proprietary Business Information / Trade Secrets
- Protect Privacy CUI and Sensitive PII
- Safeguard CUI at the 32 CFR 2002 Baseline
- Protect Nuclear Safeguards Information
- Apply Category-Specific (CUI Specified) Handling Controls
- Protect Source Selection and Procurement-Sensitive Information
- Protect Sensitive Security Information
- Protect Federal Taxpayer Information
- Provide CUI Awareness Training to the Workforce
- Protect Unclassified Controlled Nuclear Information
- Protect Water-System Risk and Resilience Assessments
- Obtain Consent & Protect Biometric Identifiers
- Protect State-Regulated Medical & Health Information
- Meet State Insurance Data-Security Requirements
- Honor State Consumer-Privacy Rights & Duties
- Maintain Reasonable Security Safeguards & Secure Data Disposal