🔐
AC.L2-3.1.x
Access Control
CUI access limits, least privilege, MFA, and session management (AC.L2-3.1.x).
Q1 · Domain 1
CUI access is limited to authorized users, processes, and devices?
Q2 · Domain 1
Least privilege is enforced — users have only the access required for their role?
Q3 · Domain 1
Remote access to CUI systems is controlled and monitored?
Q4 · Domain 1
Multi-factor authentication (MFA) is deployed for privileged and remote access?
Q5 · Domain 1
Automatic session lock is configured after inactivity on all CUI-handling systems?
🚨
IR.L2-3.6.x
Incident Response
IR plan, incident handling, reporting, and lessons-learned process (IR.L2-3.6.x).
Q1 · Domain 2
An Incident Response (IR) plan is documented and formally tested at least annually?
Q2 · Domain 2
Workforce is trained on incident handling procedures and escalation paths?
Q3 · Domain 2
Incident reporting contacts (CISA, DoD) are maintained and tested?
Q4 · Domain 2
A lessons-learned process exists and findings are incorporated into policy updates?
Q5 · Domain 2
Digital evidence preservation procedures are defined for DoD-related incidents?
🔍
RA.L2-3.11.x
Risk Assessment
Vulnerability scanning, risk assessments, threat feeds, and supply chain risk (RA.L2-3.11.x).
Q1 · Domain 3
Vulnerability scans are performed at least quarterly on all CUI systems?
Q2 · Domain 3
Risk assessments covering the full CUI scope are formally documented?
Q3 · Domain 3
Government threat intelligence feeds (CISA KEV) are integrated into vulnerability management?
Q4 · Domain 3
A remediation prioritization process based on risk severity is in place?
Q5 · Domain 3
Supply chain risk from subcontractors with CUI access is assessed?
🛡️
SC.L2-3.13.x
System & Comms Protection
Network segmentation, CUI encryption, boundary protection, and DNS filtering (SC.L2-3.13.x).
Q1 · Domain 4
Network segmentation isolates CUI systems from general corporate networks?
Q2 · Domain 4
CUI is encrypted in transit (TLS 1.2+) and at rest (AES-256)?
Q3 · Domain 4
Boundary protection controls (firewalls, DMZ) are in place for CUI systems?
Q4 · Domain 4
DNS filtering is deployed to block malicious destinations for CUI system traffic?
Q5 · Domain 4
VPN with MFA is required for all remote access to CUI environments?
⚙️
CM.L2-3.4.x
Configuration Management
Baseline configs, change control, software restriction, and security impact analysis (CM.L2-3.4.x).
Q1 · Domain 5
Baseline security configurations are established for all CUI system types?
Q2 · Domain 5
A formal change management process with security impact analysis is documented?
Q3 · Domain 5
Unauthorized software is prevented from executing on CUI systems?
Q4 · Domain 5
Security impact analysis is performed for all changes to CUI systems before deployment?
Q5 · Domain 5
Configuration patch cadence and patch compliance tracking are formally defined?