1. Access Control— limits system access to authorized users
2. Awareness and Training—provides awareness of the security risks associated with user’s activities; training them on applicable policies, standards and procedures; and making sure they are trained appropriately to carry out their duties.
3. Audit and Accountability— creation, protection, retention, and review of system logs.
4. Configuration Management— creation of baseline configurations and use of robust change management processes.
5. Identification and Authentication—identifying and authenticating the information system users and devices.
6. Incident Response— developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
7. Personnel Security—screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.
8. Risk Assessment— assessing the operational risk associated with processing, storage, and transmission of CUI
9. Security Assessment—assessing, monitor and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
10. System and Communications Protection—monitor, control and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles that promote effective information security.