NIST 800-171 Assessment Tool

Explanation: This requirement ensures that only authenticated and authorized entities can access your systems. Implement user authentication, role-based access controls, and device authentication mechanisms.

Implementation Tips:

• Maintain an inventory of authorized users and devices
• Implement centralized authentication (e.g., Active Directory, LDAP)
• Configure firewalls to allow only authorized connections
• Remove default/guest accounts or implement strong controls on them

Explanation: Beyond just controlling who can access systems, this requirement focuses on what specific actions those users can perform once logged in. This is often called "least privilege" - users should only have the minimum permissions needed to do their jobs.

Implementation Tips:

• Implement role-based access controls (RBAC)
• Document required job functions and map to minimum necessary permissions
• Regularly review user permissions to ensure they match job needs
• Configure applications to enforce function-level restrictions

Explanation: This control requires organizations to regulate where CUI (Controlled Unclassified Information) can flow within their network and information systems, ensuring it only moves through approved channels and to authorized destinations.

Implementation Tips:

• Implement content filtering, data loss prevention (DLP) solutions
• Configure access control lists (ACLs) to restrict data flows
• Segment networks and restrict traffic between segments
• Document approved data flow authorizations in a data flow diagram

Explanation: Separation of duties prevents any single individual from having complete control over critical functions or processes. This reduces the risk of fraud, sabotage, or error by requiring multiple people to complete sensitive actions.

Implementation Tips:

• Identify critical business processes and separate key steps among different staff
• Ensure administrators don't have end-user permissions and vice versa
• Separate development, testing, and production environments
• Document separation of duties in job descriptions and access control policies

Explanation: The principle of least privilege means giving users only the minimum level of access necessary to perform their job functions. This significantly reduces the potential damage from accidents or malicious behavior.

Implementation Tips:

• Review all privileged accounts and ensure they're necessary
• Use non-privileged accounts for routine activities
• Implement time-limited elevated privileges when needed
• Remove unnecessary software and disable unneeded services/features

Explanation: This requirement emphasizes that users should perform routine, non-security functions using standard user accounts. Privileged accounts should only be used when performing security-related or administrative tasks that specifically require elevated privileges.

Implementation Tips:

• Provide separate accounts for administrative and regular duties
• Configure workstations to prevent privileged users from accessing email or browsing the web
• Use technical controls to enforce privilege limitations
• Maintain procedures for when and how to use privileged accounts

Explanation: This control ensures that standard users cannot perform administrative or security-critical functions. If elevated privileges are needed, this should be carefully managed and all such actions should be logged for security review.

Implementation Tips:

• Configure access controls to prevent privilege escalation
• Implement privilege management solutions like sudo for Unix systems
• Use Windows UAC or similar controls for workstations
• Set up logging and alerting for attempted privilege escalations

Explanation: This control helps prevent brute force password attacks by limiting the number of failed login attempts before an account is locked or additional authentication is required.

Implementation Tips:

• Configure systems to lock accounts after 3-5 unsuccessful login attempts
• Implement progressive delays between login attempts
• Set automatic unlock after a defined period (e.g., 15-30 minutes)
• Establish procedures for handling legitimate lockouts

Explanation: Users must be informed about their privacy and security responsibilities when accessing systems that contain CUI. These notices serve both as reminders of obligations and can provide legal protection.

Implementation Tips:

• Implement login banners for all system access points
• Develop notices that clearly explain handling requirements for CUI
• Include statements about monitoring, authorized use, and penalties for misuse
• Ensure banners are consistent with your organization's policies and legal requirements

Explanation: This control prevents unauthorized access to systems when legitimate users are away from their workstations. After a period of inactivity, screens should be locked and any displayed information should be hidden.

Implementation Tips:

• Configure systems to lock after 10-15 minutes of inactivity
• Ensure screen content is not visible during lock state
• Require re-authentication to unlock the session
• Train users to manually lock screens when leaving workstations (e.g., Windows Key+L)

Explanation: Beyond just locking screens, this control requires systems to automatically end user sessions based on various conditions such as extended inactivity, time-of-day restrictions, or security risk indicators.

Implementation Tips:

• Identify appropriate session termination conditions for your environment
• Configure automatic logout after extended inactivity (e.g., 30-60 minutes)
• Implement time-of-day restrictions for sensitive systems
• Ensure applications gracefully handle session terminations to prevent data loss

Explanation: Organizations must have visibility into remote access connections to their systems and the ability to control these sessions. This includes monitoring what remote users are doing and being able to disconnect suspicious sessions.

Implementation Tips:

• Implement secure remote access solutions (VPN, RDP with MFA, etc.)
• Log all remote session activities
• Use session monitoring tools for privileged remote access
• Document procedures for monitoring and emergency session termination

Explanation: Remote access connections must be encrypted to prevent interception of sensitive data in transit. This applies to all remote sessions, including administrative access, VPN connections, and web application access.

Implementation Tips:

• Use VPN solutions with strong encryption (e.g., IPsec, SSL/TLS)
• Configure remote desktop tools to use encryption
• Require HTTPS for web-based administrative interfaces
• Ensure all remote session tools use up-to-date cryptographic protocols (e.g., TLS 1.2 or higher)

Explanation: All remote connections must flow through designated, controlled network access points rather than allowing direct connections to internal systems. This provides a consistent security boundary for monitoring and controlling remote access.

Implementation Tips:

• Implement VPN concentrators or remote access gateways
• Configure firewalls to restrict remote access to authorized entry points
• Use jump servers/bastion hosts for administrative access
• Document the network architecture showing remote access control points

Explanation: Organizations must specifically authorize and control when privileged commands can be executed remotely or when security-sensitive information can be accessed remotely. This should not be allowed by default.

Implementation Tips:

• Develop a formal authorization process for remote privileged access
• Maintain documentation of authorized remote privileged capabilities
• Implement technical controls to enforce authorization requirements
• Log and monitor all remote privileged command execution

Explanation: Before wireless connections are allowed to connect to your network, they must be explicitly authorized. This prevents rogue or unauthorized wireless access and ensures all wireless connectivity meets security requirements.

Implementation Tips:

• Develop and document a wireless access authorization process
• Implement strong authentication for wireless networks (WPA2/WPA3-Enterprise)
• Use network access control (NAC) for device validation
• Maintain an inventory of authorized wireless access points

Explanation: Wireless networks are particularly vulnerable to eavesdropping. This control requires implementing strong authentication to verify user/device identity and encryption to protect data transmitted over wireless networks.

Implementation Tips:

• Use WPA2 or WPA3 Enterprise with AES encryption
• Implement 802.1X authentication with strong EAP methods
• Configure RADIUS servers for centralized authentication
• Regularly update wireless security configurations as standards evolve

Explanation: Organizations must establish and enforce security requirements for mobile devices (smartphones, tablets, laptops) that connect to their networks or access CUI. This includes both organization-owned and personal devices.

Implementation Tips:

• Implement a mobile device management (MDM) solution
• Develop a BYOD policy if personal devices are allowed
• Enforce security controls such as encryption, passcodes, and remote wipe capability
• Restrict mobile device access to sensitive data or systems as appropriate

Explanation: Due to the high risk of loss or theft, all mobile devices that store or process CUI must use encryption to protect this data. This includes full disk encryption and application-level encryption when appropriate.

Implementation Tips:

• Enable full disk encryption on all mobile devices (BitLocker, FileVault, device native encryption)
• Use container applications to encrypt sensitive data at the application level
• Implement and enforce encryption through MDM policies
• Test recovery procedures for encrypted devices

Explanation: Organizations must have policies and controls governing how their systems connect to external systems (partners, cloud services, etc.) and how employees use external systems to access or process CUI.

Implementation Tips:

• Develop policies for acceptable use of external systems
• Implement technical controls to monitor and restrict external connections
• Use data loss prevention (DLP) solutions to control data transfers
• Maintain an inventory of authorized external system connections

Explanation: This control restricts how organization-owned storage devices (USB drives, external hard drives) can be used on external systems to prevent data leakage or introduction of malware.

Implementation Tips:

• Develop policies governing use of portable storage devices
• Use technical controls such as device encryption and device authentication
• Consider implementing port control solutions to restrict USB usage
• Train employees on proper handling of portable storage devices

Explanation: Organizations must have processes to review and approve information before it is posted on public-facing systems (websites, social media) to prevent unauthorized disclosure of CUI or sensitive information.

Implementation Tips:

• Develop a formal review process for public-facing content
• Train personnel on identifying information not suitable for public release
• Implement a content management system with approval workflows
• Regularly scan public-facing systems for inadvertent exposure of sensitive data

Explanation: This requirement establishes that all personnel must be informed about security risks relevant to their roles and the policies and procedures they need to follow to mitigate those risks.

Implementation Tips:

• Develop role-specific security awareness materials
• Conduct regular security awareness sessions
• Use multiple delivery methods (presentations, emails, posters, newsletters)
• Maintain documentation of awareness activities

Explanation: Beyond general awareness, this control requires specialized training for personnel with specific security responsibilities. The training should be tailored to their roles and the security functions they perform.

Implementation Tips:

• Identify personnel with security responsibilities
• Determine training needs for each security role
• Develop or procure appropriate training materials and courses
• Track completion of required training

Explanation: Organizations must train personnel to identify potential insider threats - situations where individuals with authorized access might misuse that access to harm the organization, whether intentionally or unintentionally.

Implementation Tips:

• Include insider threat topics in security awareness programs
• Train employees on behavioral indicators that might suggest insider risk
• Establish clear procedures for reporting suspicious activity
• Ensure training emphasizes appropriate reporting, not suspicion of colleagues

Explanation: Organizations must generate audit logs that capture significant system events, securely store these logs, and retain them long enough to support security investigations and compliance requirements.

Implementation Tips:

• Implement centralized logging for all systems containing or processing CUI
• Protect audit logs from unauthorized access, modification, or deletion
• Establish retention policies based on regulatory requirements (typically at least 90 days)
• Ensure logs include timestamp, user ID, action performed, and success/failure status

Explanation: Each user's activities within the system must be attributable to that specific user through audit trails. This requirement supports accountability and non-repudiation principles.

Implementation Tips:

• Require unique usernames (no shared accounts)
• Configure logging to record the specific user ID for each action
• Implement time synchronization across all systems
• Maintain logs of account creation, deletion, and privilege changes

Explanation: The set of events that generate audit records should be periodically reviewed and updated to ensure they align with the organization's security needs, threat landscape, and compliance requirements.

Implementation Tips:

• Establish a process to review audit configuration at least annually
• Update audited events based on security incidents, risk assessments, and compliance changes
• Document decisions about which events are audited and why
• Consider input from security personnel when determining audited events

Explanation: If the audit logging mechanism fails, organizations must be promptly alerted to prevent prolonged periods without audit capability. Logging failures could indicate technical problems or potential security incidents.

Implementation Tips:

• Configure monitoring systems to detect audit process failures
• Set up alerts to notify security personnel of logging failures
• Document response procedures for audit failures
• Test audit failure alerts periodically

Explanation: Audit logs from different systems should be analyzed together to identify security patterns and suspicious behaviors that might not be apparent when examining logs in isolation.

Implementation Tips:

• Implement Security Information and Event Management (SIEM) tools
• Establish correlation rules to identify suspicious patterns
• Create procedures for investigating correlated events
• Ensure logs from different systems use synchronized time sources

Explanation: Systems must be able to process large volumes of audit data and generate meaningful reports that highlight relevant security events without overwhelming analysts with unnecessary details.

Implementation Tips:

• Implement log management tools with filtering and search capabilities
• Create predefined reports for common security analyses
• Enable customized reporting for specific investigations
• Configure tools to support both routine and ad-hoc analysis

Explanation: Accurate time information is critical for audit logs to establish the correct sequence of events during security incidents and to correlate events across different systems.

Implementation Tips:

• Configure systems to use Network Time Protocol (NTP)
• Designate authoritative time sources (internal or external)
• Ensure time synchronization across all systems generating audit data
• Verify that timestamps include date, time, and time zone information

Explanation: Audit data and audit tools themselves must be protected to maintain the integrity and reliability of the audit process. Attackers often attempt to delete or modify audit logs to hide their activities.

Implementation Tips:

• Restrict access to audit logs using access controls
• Implement integrity checking for audit files
• Store audit logs on write-once media or send to a dedicated log server
• Protect audit tools with strong access controls and integrity monitoring

Explanation: The ability to configure audit settings, review audit logs, or disable auditing should be restricted to a small number of trusted administrators to prevent tampering with the audit process.

Implementation Tips:

• Create specific roles for audit management
• Assign audit management roles only to trusted personnel
• Use two-person controls for critical audit functions
• Document and regularly review the list of users with audit privileges

Explanation: Organizations must define and document standard secure configurations for their IT systems and maintain comprehensive inventories of all system components. These baselines serve as the foundation for secure configuration management.

Implementation Tips:

• Develop and document baseline configurations for each type of system
• Maintain an accurate inventory of all hardware, software, and firmware
• Update baselines when new technologies are introduced
• Use automated tools to maintain and verify configurations

Explanation: Beyond establishing baseline configurations, organizations must actively enforce these secure settings. This involves implementing technical controls to prevent deviations from approved configurations.

Implementation Tips:

• Use security configuration checklists (e.g., CIS benchmarks, DISA STIGs)
• Implement policy enforcement mechanisms like Group Policy
• Deploy configuration management tools to monitor and enforce settings
• Regularly verify that settings remain consistent with security baselines

Explanation: Organizations need formal change management processes to ensure that all changes to systems are properly reviewed, tested, approved, and documented before implementation to prevent unauthorized or insecure modifications.

Implementation Tips:

• Implement a formal change management process
• Document and track all change requests
• Ensure changes are tested, approved, and reviewed by appropriate personnel
• Maintain logs of all configuration changes and review them regularly

Explanation: Before implementing changes to systems, their potential impact on security must be analyzed to identify any vulnerabilities or weaknesses that might be introduced by the changes.

Implementation Tips:

• Include security impact analysis in the change management process
• Develop a checklist for assessing security impacts
• Ensure security personnel review changes before approval
• Document security considerations and mitigations for each change

Explanation: Organizations must control who can make changes to systems by establishing and enforcing access restrictions. This includes both physical access (e.g., server rooms) and logical access (e.g., system privileges).

Implementation Tips:

• Limit physical access to critical system components
• Restrict logical access to change management tools and configuration settings
• Document who is authorized to make different types of changes
• Ensure separation of duties for change implementation and approval

Explanation: Systems should be configured to provide only the functions necessary for their intended use. Unnecessary services, protocols, and features should be disabled to reduce the attack surface.

Implementation Tips:

• Identify and document required system functions
• Disable or remove unnecessary services, ports, and protocols
• Use application whitelisting where appropriate
• Regularly review system functionality to identify and remove unnecessary components

Explanation: Building on requirement 3.4.6, this control emphasizes the need to actively restrict, disable, or prevent the use of specific nonessential capabilities that could introduce security vulnerabilities.

Implementation Tips:

• Conduct port scans to identify open ports and running services
• Use host-based firewalls to restrict port access
• Implement technical controls to prevent installation of unauthorized software
• Disable unused features in operating systems and applications

Explanation: This control requires implementing a "default deny" approach to software execution, where only explicitly approved software is allowed to run. All other software is blocked by default.

Implementation Tips:

• Implement application whitelisting technologies
• Establish processes for authorizing and approving software
• Maintain a list of approved software
• Configure systems to block execution of unauthorized applications

Explanation: Organizations must have mechanisms to control and monitor software that users install on their devices. This prevents the introduction of malware, unauthorized tools, or software with security vulnerabilities.

Implementation Tips:

• Establish policies regarding user-installed software
• Implement technical controls to restrict software installation privileges
• Use software inventory tools to detect unauthorized installations
• Conduct regular audits of installed software

Explanation: This fundamental requirement establishes that all entities (users, processes, or devices) accessing information systems must be identifiable in some way. This allows organizations to attribute actions to specific entities and supports accountability.

Implementation Tips:

• Assign unique identifiers to all users, processes, and devices
• Maintain a comprehensive inventory of all authorized system users
• Ensure service accounts are associated with specific services/processes
• Implement device certificates or other mechanisms to identify devices

Explanation: After identification, the system must verify that the entity is who/what it claims to be before granting access. This verification process is authentication, and it prevents unauthorized access through identity spoofing.

Implementation Tips:

• Implement strong password policies or other authentication mechanisms
• Configure systems to require authentication before granting access
• Use multi-factor authentication where possible
• Implement device authentication for network access

Explanation: This requirement mandates the use of multi-factor authentication (MFA) for privileged accounts in all contexts and for regular user accounts when accessing the network remotely. MFA significantly reduces the risk of credential compromise.

Implementation Tips:

• Deploy MFA solutions like smart cards, tokens, or authenticator apps
• Configure all administrator/privileged accounts to require MFA for any access
• Implement MFA for VPN and remote access solutions
• Ensure MFA methods use different authentication factors (know/have/are)

Explanation: Replay attacks involve capturing authentication data and replaying it later to gain unauthorized access. This requirement mandates using authentication methods that prevent such attacks.

Implementation Tips:

• Use authentication protocols that include nonces or timestamps
• Implement TLS/SSL for all authentication traffic
• Use Kerberos or other protocols with replay protection
• Implement time-based one-time passwords (TOTP) for sensitive access

Explanation: This control prevents reusing user IDs, device identifiers, or process identifiers for a certain period after they're no longer in use. This helps prevent potential confusion or security issues from identifier reuse.

Implementation Tips:

• Establish a policy defining the waiting period before identifiers can be reused
• Configure user management systems to prevent immediate reuse of usernames
• Document procedures for decommissioning and creating identifiers
• Consider using globally unique identifiers (GUIDs) where appropriate

Explanation: Accounts and identifiers that remain unused for extended periods should be disabled to reduce the attack surface. Inactive accounts often have outdated security controls and might not be monitored effectively.

Implementation Tips:

• Define an appropriate inactivity period (typically 30-90 days)
• Configure systems to automatically disable inactive accounts
• Implement a process to periodically review inactive identifiers
• Document procedures for reactivating needed accounts

Explanation: Password complexity requirements help ensure that user-created passwords resist guessing and brute force attacks. This control requires enforcing minimum complexity standards and ensuring new passwords differ from previous ones.

Implementation Tips:

• Define password complexity requirements (length, character types, etc.)
• Configure systems to enforce complexity at password creation
• Require a minimum number of changed characters in new passwords
• Consider using passphrases instead of complex passwords where supported

NIST Modern Guidance: The current NIST guidance (SP 800-63B) recommends focusing on password length over complexity, checking passwords against known compromised passwords, and not requiring periodic password changes without reason.

Explanation: Password reuse allows attackers who have previously compromised a password to regain access. This control prevents users from cycling through a small set of passwords by requiring a certain number of unique passwords before reuse is allowed.

Implementation Tips:

• Configure systems to remember password history (typically 5-24 previous passwords)
• Prevent users from reusing passwords from the history
• Document the password history requirement in policies
• Consider implementing password managers to help users maintain unique passwords

Explanation: When temporary passwords are used (e.g., for new accounts or password resets), users should be required to change them immediately upon first logon to maintain security and ensure only the legitimate user knows the password.

Implementation Tips:

• Configure systems to prompt for password change after temporary password use
• Ensure temporary passwords are strong and randomly generated
• Set temporary passwords to expire quickly if not used
• Train help desk personnel on secure temporary password procedures

Explanation: Passwords must never be stored or transmitted in plaintext. This control requires using cryptographic methods to protect passwords both when stored (e.g., in databases) and when transmitted over networks.

Implementation Tips:

• Use modern password hashing algorithms (bcrypt, Argon2, PBKDF2) for storage
• Ensure passwords are transmitted only over encrypted channels (TLS/SSL)
• Verify that all authentication mechanisms protect password confidentiality
• Avoid logging or displaying passwords in any form

Explanation: This control prevents authentication information (such as passwords) from being displayed on the screen during entry. This protects against "shoulder surfing" and similar attacks where someone might observe the authentication information.

Implementation Tips:

• Configure applications to mask password entry (e.g., displaying asterisks)
• Ensure error messages don't reveal authentication details
• Hide entered characters on all authentication interfaces
• Test authentication screens to verify feedback is obscured

Explanation: Organizations must have a comprehensive incident response program that addresses all phases of incident handling. This ensures that security incidents are addressed systematically and effectively.

Implementation Tips:

• Develop a formal incident response plan documenting all phases
• Establish an incident response team with defined roles and responsibilities
• Implement detection capabilities (monitoring, alerts, user reporting)
• Document procedures for analysis, containment, and recovery
• Create templates for incident documentation and communication

Explanation: Organizations must maintain documentation of security incidents and ensure appropriate reporting to management, legal, and relevant external authorities as required by law, regulation, or agreements.

Implementation Tips:

• Implement an incident tracking system/database
• Establish reporting thresholds and criteria for escalation
• Document internal reporting chains and requirements
• Identify external reporting requirements (e.g., DoD, prime contractors)
• Create reporting templates for different incident types and authorities

External Reporting Note: Incidents involving CUI in DoD contractor systems must be reported to the DoD within 72 hours of discovery. Check your contracts and agreements for specific reporting requirements.

Explanation: Organizations must regularly test their incident response capabilities to ensure they are effective when needed. Testing helps identify gaps and improve response procedures before a real incident occurs.

Implementation Tips:

• Conduct tabletop exercises to walk through incident scenarios
• Perform technical exercises or simulations (e.g., red team/blue team)
• Test communication channels and escalation procedures
• Document lessons learned and update procedures accordingly
• Schedule regular testing at least annually

Testing Approaches:

• Tabletop Exercises: Discussion-based sessions where team members walk through their response to a hypothetical scenario
• Functional Exercises: Limited simulations testing specific capabilities
• Full-Scale Exercises: Comprehensive tests that simulate real incidents

Explanation: This fundamental requirement establishes that organizations must perform regular maintenance on their information systems. Maintenance includes hardware servicing, software updates, security patches, and other activities needed to ensure systems remain secure and operational.

Implementation Tips:

• Develop a maintenance schedule for all system components
• Implement automated patch management where feasible
• Document all maintenance activities
• Include both preventive and corrective maintenance

Explanation: Organizations must control all aspects of the maintenance process, including tools, techniques, and the personnel performing maintenance. This prevents unauthorized changes or access during maintenance activities.

Implementation Tips:

• Use only approved maintenance tools and utilities
• Maintain an inventory of authorized maintenance tools
• Inspect maintenance tools for malicious code before use
• Restrict maintenance personnel to only necessary system access
• Supervise maintenance activities performed by external providers

Explanation: When equipment containing CUI needs to be removed from organizational facilities for maintenance, it must be sanitized to remove any CUI before being taken off-site. This prevents unauthorized access to sensitive information during transit or repair.

Implementation Tips:

• Develop procedures for sanitizing equipment before off-site maintenance
• Use secure data wiping tools that meet applicable standards
• Document the sanitization process for each device
• Consider using encryption so that sanitization can be accomplished by destroying encryption keys
• Implement verification procedures to confirm successful sanitization

Explanation: Media used for diagnostics and testing (like USB drives, DVDs, or external hard drives) can be vectors for malware. This control requires scanning such media for malicious code before using it in organizational systems.

Implementation Tips:

• Use up-to-date antivirus/anti-malware tools to scan maintenance media
• Maintain a dedicated scanning station that is not connected to production networks
• Document media scanning procedures
• Consider implementing write-once media policies for maintenance tools
• Verify the source and integrity of diagnostic software before use

Explanation: Remote maintenance sessions must be secured using multifactor authentication to verify the identity of maintenance personnel. Additionally, these connections must be terminated once maintenance is complete to prevent unauthorized access.

Implementation Tips:

• Configure remote access tools to require MFA for maintenance sessions
• Implement session timeout for remote maintenance connections
• Use secure remote access solutions (e.g., VPN with MFA)
• Document procedures for establishing and terminating remote maintenance sessions
• Consider using dedicated accounts for remote maintenance activities

Explanation: When maintenance must be performed by personnel who don't have formal authorization to access the system or CUI, their activities must be supervised by authorized personnel. This ensures that unauthorized access to CUI doesn't occur during maintenance.

Implementation Tips:

• Designate specific authorized personnel to supervise maintenance activities
• Document supervision procedures for different types of maintenance
• Train supervisory personnel on security requirements
• Maintain logs of maintenance activities performed by unauthorized personnel
• Ensure supervisors have authority to terminate activities if security concerns arise

Explanation: This requirement addresses the physical security of media containing CUI. Both digital media (hard drives, USB drives, etc.) and physical media (paper documents) must be physically controlled and stored securely to prevent unauthorized access.

Implementation Tips:

• Establish secure storage areas for media (locked cabinets, safes, etc.)
• Implement access controls for storage areas
• Mark media containing CUI appropriately
• Maintain inventories of physical media containing CUI
• Implement check-in/check-out procedures for media access

Explanation: Organizations must implement controls that restrict access to media containing CUI to only those individuals who are authorized to access such information. This applies to both the physical media and the information it contains.

Implementation Tips:

• Implement access control lists for digital media
• Restrict physical access to media storage locations
• Use encryption for digital media
• Maintain records of authorized users
• Implement procedures to verify authorization before granting access

Explanation: Before disposing of or reusing media that has contained CUI, organizations must either sanitize it (remove all CUI so it cannot be recovered) or destroy the media entirely. This prevents unauthorized access to CUI from discarded or repurposed media.

Implementation Tips:

• Develop media sanitization and destruction procedures
• Use methods that comply with NIST SP 800-88 "Guidelines for Media Sanitization"
• Document the sanitization or destruction of media
• Verify effectiveness of sanitization techniques
• Consider using approved third-party media destruction services

Sanitization Methods:

• Digital Media: Secure wiping, degaussing, or physical destruction
• Paper Media: Shredding, pulping, or incineration

Explanation: Media containing CUI must be appropriately marked to indicate its sensitive nature and any distribution limitations. This helps prevent accidental disclosure by ensuring authorized users are aware of handling requirements.

Implementation Tips:

• Develop standardized labels and markings for media containing CUI
• Train personnel on proper marking procedures
• Ensure markings conform to applicable CUI guidance
• Implement procedures to verify proper marking before media distribution
• Consider electronic marking/tagging for digital media where appropriate

Note: CUI markings should follow the guidelines provided by the CUI Registry and any specific agency requirements.

Explanation: When media containing CUI must be transported outside of secure, controlled areas, organizations must implement controls to maintain accountability and prevent unauthorized access during transport.

Implementation Tips:

• Develop procedures for secure transport of media
• Use tamper-evident packaging
• Maintain chain of custody documentation during transport
• Encrypt digital media containing CUI
• Use secure courier services or authorized personnel for transport
• Implement logging and tracking of media movement

Explanation: When digital media containing CUI is transported outside of controlled areas, the data should be encrypted to protect its confidentiality. Encryption provides protection if the media is lost or stolen during transport.

Implementation Tips:

• Use FIPS-validated or NSA-approved encryption solutions
• Implement full disk encryption for laptops and portable devices
• Use encrypted USB drives, external hard drives, and other removable media
• Document encryption requirements in policies and procedures
• Ensure secure key management for encryption keys

Note: Alternative physical safeguards might include locked containers, secure courier services, or direct hand-carrying by authorized personnel.

Explanation: Organizations must control how removable media (USB drives, external hard drives, etc.) can be used with information systems. This helps prevent data leakage, malware introduction, and other security risks.

Implementation Tips:

• Develop policies governing the use of removable media
• Implement technical controls to restrict or monitor removable media use
• Use port/device control solutions to control USB and peripheral connectivity
• Maintain an inventory of authorized removable media
• Consider solutions that restrict what types of files can be copied to removable media

Explanation: Organizations must prevent the use of "found" or unidentified portable storage devices. These devices pose security risks as they may contain malware or could be used to exfiltrate data. All allowed storage devices should have an identifiable, authorized owner.

Implementation Tips:

• Develop and enforce policies prohibiting the use of unauthorized or unidentified storage devices
• Establish ownership tracking for all authorized portable storage devices
• Consider implementing device registration or approval processes
• Use technical controls to enforce device restrictions
• Train users on the risks of using unknown storage devices

Explanation: Backups often contain complete copies of sensitive data and must be protected with the same level of security as the original data. This control ensures that CUI remains protected when stored in backup form, whether on-site or off-site.

Implementation Tips:

• Encrypt backup media or use encrypted backup solutions
• Implement physical security controls for backup storage locations
• Apply access controls to limit who can access backup data
• Consider cloud backup solutions that offer appropriate security controls
• Verify security controls at third-party backup storage providers

Explanation: This requirement ensures that individuals are properly vetted before they are granted access to systems containing CUI. Screening helps identify potential security risks associated with individuals who may have access to sensitive information.

Implementation Tips:

• Establish personnel screening procedures based on position sensitivity
• Conduct background checks appropriate to the level of access required
• Document screening requirements in hiring policies
• Verify professional credentials, education, and employment history
• Ensure screening is completed and approved before granting access

Note: Screening requirements may vary based on contract requirements and the sensitivity of the CUI involved.

Explanation: This control focuses on maintaining security during personnel transitions. When employees leave or change roles, organizations must take steps to ensure continued protection of CUI and prevent unauthorized access by former employees or employees in new roles.

Implementation Tips:

• Develop standard procedures for handling personnel transitions
• Implement timely revocation of access for terminated employees
• Adjust access rights for transferred employees based on new role requirements
• Conduct exit interviews to remind departing employees of confidentiality obligations
• Retrieve organizational assets (keys, badges, devices) upon termination
• Ensure knowledge transfer for critical functions before departure