AC.L2-3.1.20[b] – Examine access control policies and procedures to determine if the use of portable storage devices with no identifiable owner is prohibited.
This objective ensures that your access control policies and procedures clearly prohibit the use of any portable storage device that lacks ownership or cannot be attributed to an approved user, particularly in systems handling Controlled Unclassified Information (CUI).
AC.L2-3.1.22[c] – Examine system configurations to verify that system use notification messages are displayed before granting access to the system.
This objective ensures that your systems are technically configured to display a system use notification—such as a login banner or access warning—before users can access any system that processes or stores Controlled Unclassified Information (CUI).
AC.L2-3.1.21[a] – Identify publicly accessible systems.
This objective requires your organization to identify all systems that are accessible from the public internet or other unrestricted external networks, especially those that may interface directly or indirectly with systems handling Controlled Unclassified Information (CUI).
AC.L2-3.1.18[b] – Examine access control policies and procedures to determine if requirements for mobile device access are defined.
This objective requires your organization’s access control policy and procedures to explicitly define the requirements for using mobile devices to access, store, or transmit Controlled Unclassified Information (CUI).
AC.L2-3.1.22[b] – Examine access control policies and procedures to determine if policies and procedures require system use notification messages.
This objective ensures that your access control policies and procedures explicitly require system use notifications—messages that inform users of authorized use expectations and monitoring—before access is granted to systems handling Controlled Unclassified Information (CUI).
AC.L2-3.1.16[b] – Examine system configurations to verify that remote access to systems containing CUI is allowed only for authorized users.
This objective confirms that your system settings enforce the remote access conditions defined in your access control policies. It requires technical proof that only authorized users can remotely access systems containing Controlled Unclassified Information (CUI).
AC.L2-3.1.18[c] – Examine system configurations to verify that mobile devices are authorized prior to use.
This objective ensures that technical controls are in place to verify that only authorized mobile devices are allowed to access systems containing Controlled Unclassified Information (CUI). Authorization must occur before the device is granted access.
AC.L2-3.1.19[b] – Examine access control policies and procedures to determine if the use of portable storage devices requires authorization.
This objective requires your organization’s access control policies and procedures to clearly state that use of portable storage devices for storing, processing, or transmitting CUI must be explicitly authorized.
AC.L2-3.1.18[a] – Identify mobile devices that store, process, or transmit CUI.
This objective requires organizations to identify all mobile devices—including laptops, tablets, smartphones, and removable storage—that are used to store, process, or transmit Controlled Unclassified Information (CUI). The goal is to create and maintain a complete, up-to-date inventory of mobile endpoints that interact with CUI.
AC.L2-3.1.20[f] – Examine portable storage device authorization records to verify that ownership is identified.
This objective ensures your organization maintains documented records of portable storage device authorizations and that those records include ownership information—clearly linking each device to a specific user, role, or department.