Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. Protect and monitor the physical facility and support infrastructure for those information systems.
All controls in auditing and accountability domain.
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Prevent reuse of identifiers for a defined period. Disable identifiers after a defined period of inactivity. Enforce a minimum password complexity and change of characters when new passwords are created.
Prohibit password reuse for a specified number of generations.