Access Control

Limit system access to authorized users, processes acting on behalf of authorized users, and devices, and explain how you prove it.

Limit user actions to only what their job function requires

Prevent CUI from moving to unauthorized systems, users, or locations

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Require privileged users to use non-privileged accounts or roles when accessing nonsecurity functions.

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Limit unsuccessful logon attempts to protect against brute-force password attacks.

Provide privacy and security notices consistent with applicable CUI rules before granting access to the system.

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Lock sessions after a defined inactivity period to prevent unattended access to active user accounts.

Monitor and control all remote access sessions to systems handling CUI with an auditable log trail.

Employ cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Route remote access sessions through managed access control points and apply restrictions before reaching CUI systems.

Authorize remote execution of privileged commands through defined approval processes and maintain detailed audit trails.

Authorize wireless access prior to allowing connections, and explain how you control who gets on your network.

Protect wireless access using authentication and encryption, and demonstrate that your wireless network actually requires both.

Control the connection of mobile devices to your systems, and demonstrate that you know which mobile devices can access what.

Encrypt CUI stored on mobile devices and mobile computing platforms, and prove that encryption is actually enforced.

Verify and control connections to external information systems, and explain how you prevent unauthorized data flow.

Limit the use of portable storage devices on external systems, and explain how you prevent data leakage via USB, SD cards, and other removable media.

Control information posted on publicly accessible systems, and explain how you prevent CUI from being exposed.