There are fourteen families of security requirements that must be met in order to protect the confidentiality of CUI in nonfederal information:
Access Control Audit and Accountability Awareness and Training Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Physical Protection Personnel Security Risk Assessment Security Assessment System and Communications Protection System and Information Integrity
