Level 2 Assessment Guide: Difference between revisions

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

[a] authorized users are identified;

[b] processes acting on behalf of authorized users are identified;

[c] devices (and other systems) authorized to connect to the system are identified;

[d] system access is limited to authorized users;

[e] system access is limited to processes acting on behalf of authorized users; and

[f] system access is limited to authorized devices (including other systems).

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

[a] the types of transactions and functions that authorized users are permitted to execute are defined; and

[b] system access is limited to the defined types of transactions and functions for authorized users.

Verify and control/limit connections to and use of external information systems.

[a] connections to external systems are identified;

[b] the use of external systems is identified;

[c] connections to external systems are verified;

[d] the use of external systems is verified;

[e] connections to external systems are controlled/limited; and

[f] the use of external systems is controlled/limited.

Control information posted or processed on publicly accessible information systems.

[a] individuals authorized to post or process information on publicly accessible systems are identified;

[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;

[c] a review process is in place prior to posting of any content to publicly accessible systems;

[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and

[e] mechanisms are in place to remove and address improper posting of FCI.

Control the flow of CUI in accordance with approved authorizations.

[a] information flow control policies are defined;

[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;

[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;

[d] authorizations for controlling the flow of CUI are defined; and

[e] approved authorizations for controlling the flow of CUI are enforced.