Requirements-based documents that define mandatory controls for people and systems.

• Account Management Standard — Requirements for the central identity system and for directory account/group management
• Device Threat Protection Standard — Requirements to install, enable, and configure Defender threat protection (anti-virus)
• Endpoint Device Encryption Standard — Requirements to encrypt endpoint devices and escrow decryption keys
• Endpoint Local Administrator Standard — Requirements to limit endpoint administrator privileges and securely manage endpoint administrator accounts
• Internet-Accessible Device Standard — Requirements for systems available from the Internet
• LISTSERV List Minimum Security Configuration Standard — Requirements to secure the LISTSERV system(s)
• M365 Email Security Standard — Requirements for the central M365 email system
• Patch Management Standard — Requirements for monitoring, deploying, and validating patches
• Remote Access Standard — Requirements for remotely accessing systems from untrusted networks
• Remote Work Minimum Information Security Standards — Requirements for employees working under a remote work agreement and the 3.1.31 policy.
• Specialized Use Device Standard — Requirements for specialty systems not able to wholly comply with other ISO standards
• Vulnerability Management Standard — Requirements for vulnerability and risk management