Hard

Limit system access to authorized users, processes acting on behalf of authorized users, and devices, and explain how you prove it.

Prevent CUI from moving to unauthorized systems, users, or locations

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Require privileged users to use non-privileged accounts or roles when accessing nonsecurity functions.

Monitor and control all remote access sessions to systems handling CUI with an auditable log trail.

Authorize remote execution of privileged commands through defined approval processes and maintain detailed audit trails.

Verify and control connections to external information systems, and explain how you prevent unauthorized data flow.

Create and retain system audit logs and records to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems.