Level 1 and 2 task list
Access control (AC)
Lvl1
1. Limit information system access to authorized users, process acting on behalf of authorized users, or devices (including other information systems)
2. Limit information system access to the types of transactions and functions that authorized uses are permitted to execute
3. Verify and control/limit connections to and use of external information systems
4. Control information posted or processed on publicly accessible information systems
Lvl2
5. Communicate security details to users when dealing with CUI(Controlled Unclassified Information)
6. Control which storage devices are used and limit portable mediums
7. Give users only the privileges necessary to complete a designated task
8. Use privileged accounts only when necessary
9. Allow only a set number of login attempts for user accounts
10. Lock user sessions when inactive for a certain amount of time
11. Remote connections are validated before they are allowed
12. Remote connections are monitored in a controlled environment
13. Remote connections are routed to managed nodes
14. CUI (Controlled Unclassified Information) is used according to established guidelines
Identification and Authentication (IA)
Lvl1
15. Identify information system user processes acting on behalf of users, or devices
16. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
Lvl2
17. Have minimum password requirements and require new passwords to be different than previous ones
18. Restrict passwords from being the same for a set number of changes
19. Allow users to log in with a temporary password before requiring a permanent change
20. Use cryptography to protect passwords during storage or transmission
21. Authentication messages are hidden from users
Media Protection (MP)
Lvl1
22. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse
Lvl2
23. Physical and digital media containing CUI is secured and properly stored
24. Only authorized users have access to media containing CUI
25. Limited use of removable drives on authorized equipment
System and Communications Protection (SC)
Lvl1
26. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
27. Implement sub-networks for publicly accessible system components that are physically or logically separated from internal networks
Lvl2
28. Restrict access to collaborative computing systems so that only those physically present are authorized
29. Protect network devices with encrypted sessions
System and Information Integrity (SI)
Lvl1
30. Identify, report, and correct information and information system flaws in a timely manner
31. Provide protection from malicious code at appropriate locations within organizational information systems
32. Update malicious code protection mechanisms when new releases are available
33. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
Lvl2
34. Respond to security events and alerts by taking the necessary actions
35. Assess network communications in real-time for ongoing threats or attacks
36. Discover unauthorized users and purge them from the system
Only in level 1
Physical Protection (PP)
Lvl1
37. Limit physical access to organization information systems, equipment, and the respective operating environments to authorized individuals
38. Escort visitors and monitor visitor activity
39. Maintain audit logs of physical access devices
40. Control and manage physical access devices
Only in level 2
Audit and Accountability (AU)
41. Create individual identifiers for each user so activity can be tracked
42. Maintain records of network activity in case of unlawful use or access of material
43. Sync internal clocks with a controlled source for accurate timestamps
44. Continuously monitor and audit logs for common errors
Awareness and Training (AT)
45. All stakeholders know existing risks associated with their roles and understand best practices for dealing with them
46. All stakeholders have received the proper training in IT security practices associated with their position
Configuration Management (CM)
47. Have a clear picture of existing assets and system configurations throughout the development process
48. Internal systems offer only the needed functionality to users
49. User-level applications and software are tightly controlled
50. Use a strict security policy for essential IT assets
51. Control the approval process for changes made to all internal systems
52. Understand the implications of policy changes before they are carried out
Incident Response (IR)
53. Be prepared to respond to incidents with well-defined management capabilities
54. Actively discover issues and do reporting
55. Resolve incidents with real-time monitoring and detection strategies
56. Outline procedures that will be used for specific incidents
57. Assess the underlying cause of incidents and target the real issue
Maintenance (MA)
58. Perform regular maintenance on systems
59. Maintain control over procedures and processes associated with system maintenance
60. Require multi-factor authentication for remote maintenance sessions and close sessions when complete
61. Maintain physical supervision over individuals who lack the necessary authorization credentials
Physical Protection (PE)
62. All essential facilities are protected and monitored to maintain the integrity of IT systems
Recovery (RE)
63. Backups are done on a regular basis and tested for validity
64. Backups remain confidential while in storage
Risk Management (RM)
65. Assess dangers posed by ongoing operations associated with CUI
66. Do ongoing scanning for potential vulnerabilities
67. Fix discovered vulnerabilities promptly according to specified rules outlined by the company
Security Assessment (CA)
68. Outline security strategies with clear boundaries that define the operational content and associated requirements
69. Regularly evaluate security management capabilities
70. Create a plan of action for finding vulnerabilities and deploying solutions
Last updated