Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Control the flow of CUI in accordance with approved authorizations.

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Use non-privileged accounts or roles when accessing nonsecurity functions

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Limit unsuccessful logon attempts.

Provide privacy and security notices consistent with applicable CUI rules.

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity

Terminate (automatically) a user session after a defined condition.

Monitor and control remote access sessions.

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Route remote access via managed access control points.

Authorize remote execution of privileged commands and remote access to security-relevant information.

Authorize wireless access prior to allowing such connections

Protect wireless access using authentication and encryption

Control connection of mobile devices.

Encrypt CUI on mobile devices and mobile computing platforms.[23]

Verify and control/limit connections to and use of external systems.

Limit use of portable storage devices on external systems.

Control CUI posted or processed on publicly accessible systems.

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Provide security awareness training on recognizing and reporting potential indicators of insider threat.