Family 3.1 22 requirements The largest family
Access Control.
Who gets in. What they can do. How remote and mobile work.
The big picture
If you nail Access Control, you've handled the biggest family in the standard. If you don't, the assessor will find most of their findings here.
How many of these 22 your cloud platform contributes to varies — see what your cloud handles vs what you own for the per-platform breakdown.
Who and what.
3.1.1 — 3.1.7Who has access, what they can do, least privilege, separation of duties, and logging admin work.
- 3.1.1 Who Gets In. Only approved people and devices touch your systems. No exceptions. 3.1.2 What They Can Do. Users only do what their role allows. Nothing more. 3.1.3 Where CUI Can Flow. CUI only moves between approved systems. Everything else is blocked. 3.1.4 No One Person Runs the Show. Split critical duties so fraud requires two people conspiring. 3.1.5 Minimum Necessary. Give people the least access they need. Not a byte more. 3.1.6 Two Hats, Two Accounts. Admins use their regular account for everyday work. Admin account is only for admin tasks. 3.1.7 Log the Admin Work. Standard users can't run admin commands. When admin commands run, they're logged.
Session controls.
3.1.8 — 3.1.11Locking out failed logins, login banners, auto-lock, and session termination.
- 3.1.8 Lock After Failed Logins. Three strikes and the account locks. Blocks brute-force attacks. 3.1.9 The Warning Banner. Show a legal notice at login. Users acknowledge before they get in. 3.1.10 Lock the Screen. Screens lock automatically after inactivity. The lock screen shows nothing sensitive. 3.1.11 End the Session. Sessions terminate automatically. Users can't stay logged in forever.
Remote access.
3.1.12 — 3.1.15Monitoring remote connections, encrypting them, routing through managed gateways, controlling remote admin.
- 3.1.12 Eyes on Remote Access. Track who connects remotely, from where, and what they do. Kill sessions if needed. 3.1.13 Encrypt Remote Sessions. Every remote connection is encrypted. No exceptions. FIPS-validated. 3.1.14 One Front Door. All remote access goes through a managed gateway. No back doors. 3.1.15 Admin Commands Over the Wire. Not all admin tasks should be allowed remotely. Define and limit which ones.
Wireless & mobile.
3.1.16 — 3.1.19Authorising wireless, encrypting it, managing mobile devices, encrypting CUI on portable devices.
- 3.1.16 Wi-Fi Approval First. Devices need approval before connecting to wireless. No open networks. 3.1.17 Lock Down the Wi-Fi. Wireless uses strong authentication and FIPS-validated encryption. 3.1.18 Mobile Device Control. Every phone and tablet that touches CUI is registered, managed, and monitored. 3.1.19 Encrypt CUI on Mobile. Any CUI on a laptop, phone, or tablet is encrypted. Lost device = no data breach.
External & media.
3.1.20 — 3.1.22Controlling connections to outside systems, USB drives, and keeping CUI off public systems.
- 3.1.20 Control Outside Connections. Every connection between your CUI environment and the outside world is documented and controlled. 3.1.21 USB Drives Under Control. Company-owned, encrypted USB drives only. Personal drives blocked. 3.1.22 Keep CUI Off Public Systems. CUI never appears on websites, public portals, or anything publicly accessible.