Access Control

Does the company have an authentication mechanism?

Does the company require users to log in to gain access?

Are account requests authorized before system access is granted?

Do you use access control lists to limit access to applications and data based on role and/or identity?

Do you have architectural solutions to control the flow of system data? (e.g., firewalls, proxies, encryption, and other security technologies)

Is there a division of responsibilities and separation of duties of individuals to eliminate conflicts of interest?

Do you only grant enough privileges to users to allow them to do their job?

Do users with multiple accounts (privileged and nonprivileged) typically logon with the least privileged account when not performing privileged functions?

Do you prevent the execution of privileged functions by non-privileged users?

Is the system configured to lock the login mechanism for a predetermined time after a predetermined number of invalid login attempts?

Is the system configured to end a user session after a predetermined period based on duration and/or inactivity of session?

Do you run network and system monitoring applications to monitor remote system access and log accordingly?

Is cryptography used to protect the confidentiality and integrity of remote access sessions?

Does the system route all remote access through a limited number of managed access control points?

Is remote access for privileged actions (such as software installation) only permitted for necessary operational functions?

Is wireless access to the system authorized, monitored and managed?

Is wireless access encrypted according to industry best practices?

Has company management established guidelines for the use of mobile devices?

Does the company encrypt CUI on mobile devices?

Are guidelines and restrictions placed on the use of personally owned or external system access?

Are restrictions imposed on authorized individuals regarding the use of company-controlled removable media on external systems?

Is the proposed content of publicly accessible information reviewed prior to posting?

Awareness and Training

Is basic security awareness training provided to all system users before authorizing access to the system when required by system changes and at least annually thereafter?

Do all users, managers, and system administrators receive initial and annual training commensurate with their roles and responsibilities?

Do employees with security-related duties and responsibilities receive initial and annual training on their operational, managerial, and technical roles and responsibilities?

Do users, managers, and system administrators receive annual training on potential indicators and possible precursors of an insider threat?

Does security training include how to communicate employee and management concerns regarding potential indicators of an insider threat?

Audit and Accountability

Does the company create, protect, and retain information system audit records for between 30 days and 1 year (depending on the data source and applicable regulations) to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity?

Can the company uniquely trace and hold accountable users responsible for unauthorized actions?

Does the company review and update audited events annually or in the event of substantial system changes or as needed?

Is there real-time alert when any defined event occurs?

Will the system alert employees with security responsibilities in the event of an audit processing failure?

Does the company use mechanisms across different repositories to integrate audit review, analysis, correlation, and reporting processes?

Does the system provide an audit reduction and report generation capability?

Does the system use internal system clocks to generate time stamps for audit records?

Does the system protect audit information and audit tools from unauthorized access, modification, and deletion?

Is access to management of audit functionality authorized only to a limited subset of privileged users?

Configuration Management

Are baseline configurations developed, documented, and maintained for each information system type?

Are changes tracked and documented in an approved IT service management system (ITSM) or equivalent tracking service?

Are configuration changes tested, validated, and documented before installing them on the operational system?

Are authorized personnel approved and documented by the service owner and IT security?

Does the system employ processing components that have minimal functionality and data storage (e.g., diskless nodes, thin client technologies)?

Are only applications and services that are needed for the function of the system configured and enabled?

Is the information system configured to only allow authorized software to run?

Are user controls in place to prohibit the installation of unauthorized software?

Identification and Authentication

Are company and service accounts managed centrally and deleted automatically when an individual leaves the company?

Do all passwords follow best practice of at least 12 characters, and require a mix of upper and lower case letters, numbers, and special characters?

Is multifactor authentication used for local access to privileged accounts?

Are defined replay-resistant authentication mechanisms used for network access to privileged accounts?

Are account identifiers uniquely assigned to employees, contractors, and subcontractors?

Are user or device identifiers disabled after a period of inactivity (e.g., 30 days)?

Does the company specify a degree of complexity, e.g., are account passwords a minimum of 12 characters and a mix of upper/lower case, numbers and special characters, including minimum requirements for each type?

Is password reuse prohibited for a defined number of

Are temporary password activation links sent to validated employees should they require a password reset or change?

Does the company follow the best practice of “salting” hashed passwords?

Do the authentication mechanisms obscure feedback
of authentication information during the authentication process?

Incident Response

Is there a company incident response policy which specifically outlines requirements for handling of incidents involving CUI?

Is there a company incident response policy which specifically outlines requirements for tracking and reporting of incidents involving CUI to appropriate officials?

Does the company test its incident response capabilities?


Does the company perform maintenance on the information system?

Are controls in place that limit the tools, techniques, mechanisms, and employees used to maintain information systems, devices, and supporting systems?

Are media that are removed from the premises for maintenance, repair, or disposal sanitized per the company’s media sanitization policies?

Are media that are provided by authorized maintenance personnel (and not normal systems administrators/owners) for troubleshooting, diagnostics, or other maintenance run through an anti-virus/anti-malware/anti-spyware program prior to use in the company’s information system?

Does the system require multifactor authentication for remote access?

Are all activities of maintenance personnel (who do
not normally have access to a system) monitored?

Media Protection

Have responsible parties for data in these systems documented and ensured proper authorization controls for data in media and print?

Does the company limit CUI media access to authorized users?

Is system digital and non-digital media sanitized before disposal or release for reuse?

Are all CUI systems identified with an asset control identifier, for example, does each company laptop have an asset id tag with a unique number?

Are all CUI data on media encrypted or physically locked prior to transport outside of the company’s secure locations?

Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas?

Is the use of writable, removable media restricted on the system?

Do all portable storage devices have identifiable owners?

Are data backups encrypted on media before removal from the company’s secured facility?

Personnel Security

Are individuals requiring access screened before access is granted?

Does the company disable information system access prior to employee termination or transfer?

Physical Protection

Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (including guards, locks, cameras, card readers, etc.) to limit physical access to the area to only authorized employees?

Is physical access monitored to detect and respond to physical security incidents?

Are visitors escorted and monitored as required in security policies and procedures?

Are logs of physical access to sensitive areas maintained per retention policies? (This includes authorized access as well as visitor access.)

Are physical access devices (such as card readers, proximity readers, and locks) maintained and operated per the manufacturer recommendations?

Do all alternate sites where CUI data is stored meet the same physical security requirements as the main site?

Risk Assessment

Does the company have a risk management policy?

Have initial and periodic risk assessments been conducted?

Are changes in use or infrastructure documented and assessed?

Are systems periodically scanned for common and new vulnerabilities?

Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk?

Security Assessment

Has a periodic (e.g., annual) security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements?

Does the assessment scope include all information systems and networks, including all security requirements and procedures necessary to meet the compliance requirements of the environment?

Does the assessment include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and talking with company employees?

Is the assessment conducted by an independent security auditor/consultant?

Is a final written assessment report and findings provided to company management after the assessment?

Is there an action plan to remediate identified weaknesses or deficiencies?

Are continuous monitoring reports and alerts reviewed frequently (e.g., daily)?

Is the system security plan reviewed and approved by company management prior to plan implementation?

Does the company update the system security plan to address changes to the system, environment of operation or problems identified during plan implementation or security assessments?

Systems and Communications Protection

Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system?

Are the company’s information security policies (including architectural design, software development, and system engineering principles) designed to promote information security?

Are physical or logical controls used to separate user functionality from system management-related functionality (e.g., to ensure that administration [e.g., privilege] options are not available to general users)?

Does the system prevent unauthorized or unintended information transfer via shared system resources, e.g., register, main memory, secondary storage?

Does the company implement DMZs?

Does the system deny network traffic by default and allow network traffic by exception?

Are controls in place to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions?

Are cryptographic mechanisms used to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures?

Are processes and automated mechanisms used to provide key management within the information system?

Do communication cryptographic mechanisms comply with applicable policies, standards, and guidance?

Have collaborative computing devices (e.g., cameras, microphones, etc.) been configured so they cannot be remotely activated?

Are there defined limits of mobile code usage, established usage restrictions, that specifically authorize the use of mobile code (e.g., Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript, etc.) within the information system?

Is the use of VoIP authorized, and monitored?

Does the system provide mechanisms to protect the authenticity of device-to-device communications sessions?

Are there controls used to protect CUI while stored in company information systems?

System and Information Integrity

Are system flaws identified, reported, and corrected within company-defined time periods?

Does the company employ malicious code protection mechanisms at system entry and exit points to minimize the presence of malicious code? (System
entry and exit points may include firewalls,
electronic mail servers, web servers, proxy servers,
remote- access servers, workstations, notebook
computers, and mobile devices.)

Does the company receive security alerts, advisories, and directives from reputable external organizations?

Does the company update information system protection mechanisms (e.g., anti-virus signatures) within 5 days of new releases?

Does the company perform periodic scans of the information system for malware?

Are scans performed within the timeframe specified in policy or
within the system security plan?

Does the company monitor the information system to detect attacks and indicators of potential attacks, as well as unauthorized local, network, and remote connections?

Is unauthorized use of the system identified (e.g., log monitoring)?

Name & Signature of Assigned IT Specialist
Name & Signature of Contractor
Please note that this checklist is a hypothetical example and provides basic information only. It is not intended to take the place of, among other things, workplace, health and safety advice; medical advice, diagnosis, or treatment; or other applicable laws. You should also seek your own professional advice to determine if the use of such checklist is permissible in your workplace or jurisdiction.