???? 14 Core Security Domains
Har domain mein mukhtalif requirements (practices) hoti hain. Kuch aham requirements ye hain:
1. Access Control (22 Practices)
Sirf un logon ko access dena jinhe waqayi zaroorat hai. Is mein Multi-Factor Authentication (MFA) ka hona lazmi hai.
2. Incident Response (3 Practices)
Cyber attack ki surat mein teizi se action lene ka plan hona chahiye, usay test karna chahiye, aur DoD ko report karna chahiye.
3. Configuration Management (9 Practices)
Apne hardwares aur softwares ki "baseline configurations" banayein aur unhe unauthorized tabdeeliyon se bachayein.
4. Identification and Authentication (11 Practices)
Har user ki aik unique ID honi chahiye aur password ki sakhti (complexity) ke rules lagu hone chahiyen.
???? Level 2 Compliance Checklist
| Requirement Area | Core Practice | Action Needed |
|---|---|---|
| Data Encryption | FIPS 140-2 Validated | CUI data ko rest aur motion mein encrypt karein. |
| MFA | Multi-Factor Auth | Har remote access aur privileged account par MFA lagayein. |
| Physical Security | Access Monitoring | Servers aur offices ki physical entry ko log karein. |
| Awareness Training | Staff Education | Employees ko phishing aur social engineering ki training dein. |
⚖️ Assessment ki Shart
Level 2 requirements ko do tarah se assess kiya jata hai:
- Annual Self-Assessment: Har saal contractor ko khud ko audit karna hota hai aur score SPRS mein submit karna hota hai.
- Triennial C3PAO Audit: Har 3 saal baad aik certified organization aapka physical aur technical audit karti hai.
Kya aap Level 2 ki tyyari shuru kar rahe hain?
Main aapko bata sakta hoon ke Level 2 ke liye System Security Plan (SSP) kaise tyyar karte hain. Kya aap mazeed jaanna chahte hain?