Level 2 Assessment Guide

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

[a] authorized users are identified;

[b] processes acting on behalf of authorized users are identified;

[c] devices (and other systems) authorized to connect to the system are identified;

[d] system access is limited to authorized users;

[e] system access is limited to processes acting on behalf of authorized users; and

[f] system access is limited to authorized devices (including other systems).

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

[a] the types of transactions and functions that authorized users are permitted to execute are defined; and

[b] system access is limited to the defined types of transactions and functions for authorized users.

Verify and control/limit connections to and use of external information systems.

[a] connections to external systems are identified;

[b] the use of external systems is identified;

[c] connections to external systems are verified;

[d] the use of external systems is verified;

[e] connections to external systems are controlled/limited; and

[f] the use of external systems is controlled/limited.

Control information posted or processed on publicly accessible information systems.

[a] individuals authorized to post or process information on publicly accessible systems are identified;

[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;

[c] a review process is in place prior to posting of any content to publicly accessible systems;

[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and

[e] mechanisms are in place to remove and address improper posting of FCI.