3.5.8Prohibit password reuse for a specified number of generationsDerived
    3.5.9Allow temporary password use for system logons with an immediate change to a permanent passwordDerived
    3.5.10Store and transmit only cryptographically-protected passwordsDerived
    3.5.11Obscure feedback of authentication informationDerived
    3.6.1Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activitiesBase
    3.6.2Track, document, and report incidents to designated officials and/or authorities both internal and external to the organizationBase
    3.6.3Test the organizational incident response capabilityDerived
    3.7.1Perform maintenance on organizational systemsBase
    3.7.2Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenanceBase
    3.7.3Ensure equipment removed for off-site maintenance is sanitized of any CUIDerived
    3.7.4Check media containing diagnostic and test programs for malicious code before the media are used in organizational systemsDerived
    3.7.5Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is completeDerived
    3.7.6Supervise the maintenance activities of maintenance personnel without required access authorizationDerived
    3.8.1Protect (i.e., physically control and securely store) system media containing CUI, both paper and digitalBase
    3.8.2Limit access to CUI on system media to authorized usersBase
    3.8.3Sanitize or destroy system media containing CUI before disposal or release for reuseBase
    3.8.4Mark media with necessary CUI markings and distribution limitationsDerived
    3.8.5Control access to media containing CUI and maintain accountability for media during transport outside of controlled areasDerived
    3.8.6Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguardsDerived
    3.8.7Control the use of removable media on system componentsDerived
    3.8.8Prohibit the use of portable storage devices when such devices have no identifiable ownerDerived
    3.8.9Protect the confidentiality of backup CUI at storage locationsDerived
    3.9.1Screen individuals prior to authorizing access to organizational systems containing CUIBase
    3.9.2Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfersBase
    3.10.1Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individualsBase
    3.10.2Protect and monitor the physical facility and support infrastructure for organizational systemsBase
    3.10.3Escort visitors and monitor visitor activityDerived
    3.10.4Maintain audit logs of physical accessDerived
    3.10.5Control and manage physical access devicesDerived
    3.10.6Enforce safeguarding measures for CUI at alternate work sitesDerived
    3.11.1Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUIBase
    3.11.2Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identifiedDerived
    3.11.3Remediate vulnerabilities in accordance with risk assessmentsDerived
    3.12.1Periodically assess the security controls in organizational systems to determine if the controls are effective in their applicationBase
    3.12.2Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systemsBase
    3.12.3Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controlsBase
    3.12.4Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systemsBase
    3.13.1Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systemsBase
    3.13.2Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systemsBase
    3.13.3Separate user functionality from system management functionalityDerived
    3.13.4Prevent unauthorized and unintended information transfer via shared system resourcesDerived
    3.13.5Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networksDerived
    3.13.6Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)Derived
    3.13.7Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)Derived
    3.13.8Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguardsDerived
    3.13.9Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivityDerived
    3.13.10Establish and manage cryptographic keys for cryptography employed in organizational systemsDerived
    3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUIDerived
    3.13.12Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the deviceDerived
    3.13.13Control and monitor the use of mobile codeDerived