Moderate

Limit user actions to only what their job function requires

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Limit unsuccessful logon attempts to protect against brute-force password attacks.

Provide privacy and security notices consistent with applicable CUI rules before granting access to the system.

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Lock sessions after a defined inactivity period to prevent unattended access to active user accounts.

Employ cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Route remote access sessions through managed access control points and apply restrictions before reaching CUI systems.

Authorize wireless access prior to allowing connections, and explain how you control who gets on your network.

Protect wireless access using authentication and encryption, and demonstrate that your wireless network actually requires both.

Control the connection of mobile devices to your systems, and demonstrate that you know which mobile devices can access what.

Encrypt CUI stored on mobile devices and mobile computing platforms, and prove that encryption is actually enforced.

Limit the use of portable storage devices on external systems, and explain how you prevent data leakage via USB, SD cards, and other removable media.

Control information posted on publicly accessible systems, and explain how you prevent CUI from being exposed.

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Personnel with security duties receive training specific to their assigned information security responsibilities

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

Document and maintain the approved state of every system and keep an inventory of everything connected to your network

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Document and report confirmed incidents to internal leadership and external authorities as required

Perform maintenance on organizational systems.

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Maintain surveillance and environmental controls over your physical facility.

Periodically assess the risk to organizational operations, assets, and individuals from operating systems that process, store, or transmit CUI.

Build security into your systems from the start, not as an afterthought

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.

Identify, report, and correct system flaws in a timely manner.

Provide protection from malicious code at designated locations within organizational systems.