All controls from the previous level with the addition of items such as content filtering on firewalls and applications, separation of duties and limiting portable storage devices, and ensuring the portable device is encrypted when storing CUI, for example.
Awareness and Training (AT)
This part of the process informs privileged users of security risks associated with elevated Permissions and how to use them properly.
It also provides security related training to those performing cybersecurity functions, and insider threat training and reporting procedures to all personnel.
Audit and Accountability (AU)
Create a secure configuration that retains adequate logs to perform monitoring, including best practices, individual account tracing, and reviewing and updating log events for effective management.
Configuration Management (CM)
Details the steps to create and maintain security baselines, enforce the use of security impact analysis, and prevent unauthorized installation and use of software via secure configurations.
Identification and Authentication (IA)
All controls from the previous level with the addition of items such as: verifying the Identities of Users, Processes, and devices before granting access to information systems and storing/transmitting passwords using FIP 140-2 Validated Encryption.
Involves building and deploying an IR Team capable of monitoring, detecting, analyzing, and reporting cybersecurity events and incidents.
Implements control tools, processes, and personnel conducting maintenance; sanitize and verify equipment when moving offsite, and scan media and programs for malicious code before connecting to Internal Information Systems.
Involves proper methods to handle CUI such as marking and limiting access to system media containing CUI to authorized personnel only, enforcing encryption on all media containing CUI, and maintaining accountability of its location and custodian at all times.
Screen and perform background checks on individuals prior to authorizing access to Information systems containing CUI and ensure its protection before and after personnel actions.
All controls from the previous level with the addition of items such as protecting and monitoring physical facilities and supporting sites that manage information systems and ensure policy and procedures of the handling of CUI at alternative work sites.
Involves taking steps to implement a Risk Management Board against organizational assets within the organizational security boundary which routinely scans for vulnerabilities across all assets and remediates them in a timely fashion.
Create a system security plan outlining how you are and will meet each security control, perform control assessments at least annually or when a major change to the IS occurs, and develop, assign, monitor, and close-out plan of actions and milestones.
System and Communication Protections (SC)
All controls from the previous level with the addition of items such as: deploying a secure architecture using security engineering principles to promote a cybersecurity-conscious organization, and ensuring CUI is encrypted using FIPS-validated cryptography when in transit and at rest.
System and Information Integrity (SI)
All controls from the previous level with the addition of items such as monitoring organizational assets (e.g., Network Traffic, Cloud Logs, Computer Logs, User and Application Logs to Identify Unauthorized Use of Any Asset).