Obligation
Safeguarding
81 items across the GovConCyber reference layer carry this topic.
Requirements
- Limit Physical Access
- Protect and Monitor the Facility
- Escort and Monitor Visitors
- Maintain Physical Access Logs
- Control Physical Access Devices
- Safeguard CUI at Alternate Work Sites
- Protect Communications at Boundaries
- Manage Cryptographic Keys
- Use FIPS-Validated Cryptography
- Control Collaborative Computing Devices
- Control Mobile Code
- Control VoIP
- Protect Authenticity of Sessions
- Protect Confidentiality of CUI at Rest
- Use Secure Engineering Principles
- Separate User and Management Functions
- Prevent Information Transfer via Shared Resources
- Implement DMZ Subnetworks
- Deny by Default at Boundaries
- Prevent Split Tunneling
- Encrypt CUI in Transmission
- Terminate Network Connections
- Establish Baseline Configurations and Inventory
- Enforce Security Configuration Settings
- Track and Approve Changes
- Analyze Security Impact of Changes
- Restrict Access for Changes
- Employ Least Functionality
- Restrict Nonessential Programs and Services
- Apply Allow/Deny Software Policy
- Control User-Installed Software
- Perform System Maintenance
- Control Maintenance Tools and Personnel
- Sanitize Equipment Removed for Maintenance
- Check Maintenance Media for Malicious Code
- Require MFA for Nonlocal Maintenance
- Supervise Unauthorized Maintenance Personnel
- Safeguard Criminal Justice Information (CJIS Security Policy)
- Protect Bank Secrecy Act / FinCEN Information
- Protect Critical Energy/Electric Infrastructure Information
- Protect Criminal History Records Information
- Protect Controlled Technical Information
- Protect Chemical-Terrorism Vulnerability Information
- Decontrol CUI When Safeguarding Is No Longer Required
- Destroy CUI Using Approved Methods
- Apply Limited Dissemination Controls and Lawful Government Purpose
- Comply With Export Controls for CUI (EAR/ITAR)
- Protect Student Records
- Flow Down CUI Safeguarding Requirements to Subcontractors
- Protect Health Information CUI
- Identify and Categorize CUI Using the CUI Registry
- Apply CUI Markings (Banner, Portion, Category, and Limited Dissemination)
- Protect CUI on Nonfederal Systems per NIST SP 800-171
- Apply Enhanced Safeguards for High-Value CUI (APT)
- Protect Protected Critical Infrastructure Information
- Protect Proprietary Business Information / Trade Secrets
- Protect Privacy CUI and Sensitive PII
- Safeguard CUI at the 32 CFR 2002 Baseline
- Protect Nuclear Safeguards Information
- Apply Category-Specific (CUI Specified) Handling Controls
- Protect Source Selection and Procurement-Sensitive Information
- Protect Sensitive Security Information
- Protect Federal Taxpayer Information
- Provide CUI Awareness Training to the Workforce
- Protect Unclassified Controlled Nuclear Information
- Protect Water-System Risk and Resilience Assessments
- Address EU Cybersecurity Act Certification
- Implement GDPR Article 32 Security of Processing
- Maintain a GLBA Safeguards-Rule Information Security Program
- Implement HIPAA Security Rule Safeguards for ePHI
- Meet the Federal IoT Device Cybersecurity Baseline
- Safeguard Federal Tax Information (IRS Pub 1075)
- Meet NERC CIP Controls for Bulk Electric System Assets
- Protect the Cardholder Data Environment (PCI DSS)
- Meet PIPL Security and Cross-Border Transfer Duties
- Obtain Consent & Protect Biometric Identifiers
- Protect State-Regulated Medical & Health Information
- Meet State Insurance Data-Security Requirements
- Honor State Consumer-Privacy Rights & Duties
- Maintain Reasonable Security Safeguards & Secure Data Disposal
- Operate a Vulnerability Disclosure Capability