3.1.1Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)Base
    3.1.2Limit system access to the types of transactions and functions that authorized users are permitted to executeBase
    3.1.3Control the flow of CUI in accordance with approved authorizationsDerived
    3.1.4Separate the duties of individuals to reduce the risk of malevolent activity without collusionDerived
    3.1.5Employ the principle of least privilege, including for specific security functions and privileged accountsDerived
    3.1.6Use non-privileged accounts or roles when accessing nonsecurity functionsDerived
    3.1.7Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logsDerived
    3.1.8Limit unsuccessful logon attemptsDerived
    3.1.9Provide privacy and security notices consistent with applicable CUI rulesDerived
    3.1.10Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivityDerived
    3.1.11Terminate (automatically) a user session after a defined conditionDerived
    3.1.12Monitor and control remote access sessionsDerived
    3.1.13Employ cryptographic mechanisms to protect the confidentiality of remote access sessionsDerived
    3.1.14Route remote access via managed access control pointsDerived
    3.1.15Authorize remote execution of privileged commands and remote access to security-relevant informationDerived
    3.1.16Authorize wireless access prior to allowing such connectionsDerived
    3.1.17Protect wireless access using authentication and encryptionDerived
    3.1.18Control connection of mobile devicesDerived
    3.1.19Encrypt CUI on mobile devices and mobile computing platformsDerived
    3.1.20Verify and control/limit connections to and use of external systemsDerived
    3.1.21Limit use of portable storage devices on external systemsDerived
    3.1.22Control CUI posted or processed on publicly accessible systemsDerived
    3.2.1Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systemsBase
    3.2.2Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilitiesBase
    3.2.3Provide security awareness training on recognizing and reporting potential indicators of insider threatDerived
    3.3.1Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activityBase
    3.3.2Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actionsBase
    3.3.3Review and update logged eventsDerived
    3.3.4Alert in the event of an audit logging process failureDerived
    3.3.5Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activityDerived
    3.3.6Provide audit record reduction and report generation to support on-demand analysis and reportingDerived
    3.3.7Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit recordsDerived
    3.3.8Protect audit information and audit logging tools from unauthorized access, modification, and deletionDerived
    3.3.9Limit management of audit logging functionality to a subset of privileged usersDerived
    3.4.1Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cyclesBase
    3.4.2Establish and enforce security configuration settings for information technology products employed in organizational systemsBase
    3.4.3Track, review, approve or disapprove, and log changes to organizational systemsDerived
    3.4.4Analyze the security impact of changes prior to implementationDerived
    3.4.5Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systemsDerived
    3.4.6Employ the principle of least functionality by configuring organizational systems to provide only essential capabilitiesDerived
    3.4.7Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and servicesDerived
    3.4.8Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized softwareDerived
    3.4.9Control and monitor user-installed softwareDerived
    3.5.1Identify system users, processes acting on behalf of users, and devicesBase
    3.5.2Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systemsBase
    3.5.3Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accountsDerived
    3.5.4Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accountsDerived
    3.5.5Prevent reuse of identifiers for a defined periodDerived
    3.5.6Disable identifiers after a defined period of inactivityDerived
    3.5.7Enforce a minimum password complexity and change of characters when new passwords are createdDerived