3.1

ACCESS CONTROL

3.1.1e

Employ dual authorization to execute critical or sensitive system and organizational operations.

3.1.2e

Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

3.1.3e

Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems.

3.2

AWARENESS AND TRAINING

3.2.1e

Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat.

3.2.2e

Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

3.3

AUDIT AND ACCOUNTABILITY

3.4

CONFIGURATION MANAGEMENT

3.4.1e

Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.

3.4.2e

Employ automated mechanisms to detect the presence of misconfigured or unauthorized system components; remove the components or place the components in a quarantine or remediation network that allows for patching, re-configuration, or other mitigations.

3.4.3e

Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

3.5

IDENTIFICATION AND AUTHENTICATION

3.5.1e

Identify and authenticate [Assignment: organization-defined systems and system components] before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.

3.5.2e

Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management.

3.5.3e

Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

3.6

INCIDENT RESPONSE

3.6.1e

Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period].

3.6.2e

Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period].

3.7

MAINTENANCE

3.8

MEDIA PROTECTION

3.9

PERSONNEL SECURITY

3.9.1e

Conduct [Assignment: organization-defined enhanced personnel screening] for individuals and reassess individual positions and access on an ongoing basis.

3.9.2e

Ensure that organizational systems are protected if adverse information develops about individuals with access to CUI.

3.10

PHYSICAL PROTECTION

3.11

RISK ASSESSMENT

3.11.1e

Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

3.11.2e

Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization- defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls.

3.11.3e

Employ advanced automation and analytics capabilities to predict and identify risks to organizations, systems, and system components.

3.11.4e

Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.

3.11.5e

Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

3.11.6e

Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.

3.11.7e

Develop and update a plan for managing supply chain risks associated with organizational systems and system components.

3.12

SECURITY ASSESSMENT

3.12.1e

Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using human experts.

3.13

SYSTEM AND COMMUNICATIONS PROTECTION

3.13.1e

Create diversity in [Assignment: organization-defined system components] to reduce the extent of malicious code propagation.

3.13.2e

Disrupt the attack surface of organizational systems and system components.

3.13.3e

Employ technical and procedural means to confuse and mislead adversaries.

3.13.4e

Employ[Selection:(oneormore):[Assignment:organization-definedphysicalisolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components.

3.14

SYSTEM AND INFORMATION INTEGRITY

3.14.1e

Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures.

3.14.2e

Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.

3.14.3e

Ensure that [Assignment: organization-defined systems and system components] are included in the scope of the specified enhanced security requirements or are segregated in purpose- specific networks.

3.14.4e

Refresh [Assignment: organization-defined systems and system components] from a known, trusted state [Assignment: organization-defined frequency].

3.14.5e

Conduct reviews of persistent organizational storage locations [Assignment: organization- defined frequency] and remove CUI that is no longer needed.

3.14.6e

Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting.

3.14.7e

Verify the correctness of [Assignment: organization-defined security critical or essential software] using [Assignment: organization-defined verification methods or techniques].