Access Control.

Who has access, what they can do, least privilege, separation of duties, and logging admin work.

3.1.1 Who Gets In. AC.L1-3.1.1 · Authorized Access Control Only approved people and devices touch your systems. No exceptions. 5 pts
L1 3.1.2 What They Can Do. AC.L1-3.1.2 · Transaction & Function Control Users only do what their role allows. Nothing more. 5 pts
L1 3.1.3 Where CUI Can Flow. AC.L2-3.1.3 · Control CUI Flow CUI only moves between approved systems. Everything else is blocked. 3 pts 3.1.4 No One Person Runs the Show. AC.L2-3.1.4 · Separation of Duties Split critical duties so fraud requires two people conspiring. 1 pts 3.1.5 Minimum Necessary. AC.L2-3.1.5 · Least Privilege Give people the least access they need. Not a byte more. 3 pts 3.1.6 Two Hats, Two Accounts. AC.L2-3.1.6 · Non-Privileged Account Use Admins use their regular account for everyday work. Admin account is only for admin tasks. 1 pts 3.1.7 Log the Admin Work. AC.L2-3.1.7 · Privileged Functions Standard users can't run admin commands. When admin commands run, they're logged. 1 pts

Locking out failed logins, login banners, auto-lock, and session termination.

3.1.8 Lock After Failed Logins. AC.L2-3.1.8 · Unsuccessful Logon Attempts Three strikes and the account locks. Blocks brute-force attacks. 1 pts 3.1.9 The Warning Banner. AC.L2-3.1.9 · Privacy & Security Notices Show a legal notice at login. Users acknowledge before they get in. 1 pts 3.1.10 Lock the Screen. AC.L2-3.1.10 · Session Lock Screens lock automatically after inactivity. The lock screen shows nothing sensitive. 1 pts 3.1.11 End the Session. AC.L2-3.1.11 · Session Termination Sessions terminate automatically. Users can't stay logged in forever. 1 pts

Monitoring remote connections, encrypting them, routing through managed gateways, controlling remote admin.

3.1.12 Eyes on Remote Access. AC.L2-3.1.12 · Control Remote Access Track who connects remotely, from where, and what they do. Kill sessions if needed. 3 pts 3.1.13 Encrypt Remote Sessions. AC.L2-3.1.13 · Remote Access Confidentiality Every remote connection is encrypted. No exceptions. FIPS-validated. 3 pts 3.1.14 One Front Door. AC.L2-3.1.14 · Remote Access Routing All remote access goes through a managed gateway. No back doors. 1 pts 3.1.15 Admin Commands Over the Wire. AC.L2-3.1.15 · Privileged Remote Access Not all admin tasks should be allowed remotely. Define and limit which ones. 1 pts

Authorising wireless, encrypting it, managing mobile devices, encrypting CUI on portable devices.

3.1.16 Wi-Fi Approval First. AC.L2-3.1.16 · Wireless Access Authorization Devices need approval before connecting to wireless. No open networks. 1 pts 3.1.17 Lock Down the Wi-Fi. AC.L2-3.1.17 · Wireless Access Protection Wireless uses strong authentication and FIPS-validated encryption. 3 pts 3.1.18 Mobile Device Control. AC.L2-3.1.18 · Mobile Device Connection Every phone and tablet that touches CUI is registered, managed, and monitored. 1 pts 3.1.19 Encrypt CUI on Mobile. AC.L2-3.1.19 · Encrypt CUI on Mobile Any CUI on a laptop, phone, or tablet is encrypted. Lost device = no data breach. 1 pts

Controlling connections to outside systems, USB drives, and keeping CUI off public systems.

3.1.20 Control Outside Connections. AC.L1-3.1.20 · External Connections Every connection between your CUI environment and the outside world is documented and controlled. 1 pts
L1 3.1.21 USB Drives Under Control. AC.L2-3.1.21 · Portable Storage Use Company-owned, encrypted USB drives only. Personal drives blocked. 1 pts 3.1.22 Keep CUI Off Public Systems. AC.L1-3.1.22 · Control Public Information CUI never appears on websites, public portals, or anything publicly accessible. 5 pts
L1