Obligation
Access control
35 items across the GovConCyber reference layer carry this topic.
Requirements
- Limit System Access to Authorized Users
- Use Session Lock
- Terminate Sessions
- Monitor and Control Remote Access
- Protect Remote Access with Cryptography
- Route Remote Access Through Managed Control Points
- Authorize Remote Privileged Access
- Authorize Wireless Access
- Protect Wireless Access
- Control Connection of Mobile Devices
- Encrypt CUI on Mobile Devices
- Limit Access to Permitted Transactions and Functions
- Control Connections to External Systems
- Limit Portable Storage on External Systems
- Control CUI on Publicly Accessible Systems
- Control the Flow of CUI
- Separate Duties of Individuals
- Employ the Principle of Least Privilege
- Use Non-Privileged Accounts for Nonsecurity Functions
- Restrict and Audit Privileged Functions
- Limit Unsuccessful Logon Attempts
- Provide Privacy and Security Notices
- Identify Users, Processes, and Devices
- Protect Stored and Transmitted Passwords
- Obscure Authentication Feedback
- Authenticate Users, Processes, and Devices
- Use Multifactor Authentication
- Use Replay-Resistant Authentication
- Prevent Reuse of Identifiers
- Disable Inactive Identifiers
- Enforce Password Complexity
- Prohibit Password Reuse
- Require Immediate Change of Temporary Passwords
- Screen Individuals Before Access
- Protect CUI During Personnel Actions