Home › Compliance › NIST SP 800-171

Best NIST SP 800-171 Compliance Tools & Solutions

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Required for DoD contractors and the defense industrial base. — Browse 0 verified solutions.

No listings yet. Submit one →

// NIST 171 Controls & Requirements

110 controls across 14 families

Access Control (22)

3.1.1 Limit system access to authorized users

3.1.2 Limit system access to authorized functions

3.1.3 Control the flow of CUI

3.1.4 Separate duties of individuals

3.1.5 Employ the principle of least privilege

3.1.6 Use non-privileged accounts for non-security functions

3.1.7 Prevent non-privileged users from executing privileged functions

3.1.8 Limit unsuccessful logon attempts

3.1.9 Provide privacy and security notices at logon

3.1.10 Use session lock with pattern-hiding displays

3.1.11 Terminate user sessions after defined conditions

3.1.12 Monitor and control remote access sessions

3.1.13 Employ cryptographic mechanisms for remote access

3.1.14 Route remote access via managed access control points

3.1.15 Authorize remote execution of privileged commands

3.1.16 Authorize wireless access prior to connection

3.1.17 Protect wireless access using authentication and encryption

3.1.18 Control connection of mobile devices

3.1.19 Encrypt CUI on mobile devices

3.1.20 Verify and control connections to external systems

3.1.21 Limit use of portable storage devices on external systems

3.1.22 Control CUI posted on publicly accessible systems

Awareness & Training (3)

3.2.1 Ensure personnel are aware of security risks

3.2.2 Ensure personnel are trained to carry out duties

3.2.3 Provide security awareness training on threats

Audit & Accountability (9)

3.3.1 Create and retain system audit logs

3.3.2 Ensure actions can be traced to individual users

3.3.3 Review and update logged events

3.3.4 Alert on audit logging process failure

3.3.5 Correlate audit review and reporting processes

3.3.6 Provide audit record reduction and report generation

3.3.7 Provide capability to compare and synchronize clocks

3.3.8 Protect audit information from unauthorized access

3.3.9 Limit management of audit logging to authorized individuals

Configuration Management (9)

3.4.1 Establish and maintain baseline configurations

3.4.2 Establish and enforce security configuration settings

3.4.3 Track, review, approve changes to systems

3.4.4 Analyze security impact of changes

3.4.5 Define and enforce access restrictions for changes

3.4.6 Employ the principle of least functionality

3.4.7 Restrict, disable, prevent nonessential programs

3.4.8 Apply deny-by-exception policy for unauthorized software

3.4.9 Control and monitor user-installed software

Identification & Authentication (11)

3.5.1 Identify system users and processes

3.5.2 Authenticate identities of users and devices

3.5.3 Use multifactor authentication

3.5.4 Employ replay-resistant authentication

3.5.5 Prevent reuse of identifiers

3.5.6 Disable identifiers after inactivity period

3.5.7 Enforce minimum password complexity

3.5.8 Prohibit password reuse

3.5.9 Allow temporary password use with immediate change

3.5.10 Store and transmit only cryptographically-protected passwords

3.5.11 Obscure feedback of authentication information

Incident Response (3)

3.6.1 Establish operational incident-handling capability

3.6.2 Track, document, and report incidents

3.6.3 Test organizational incident response capability

Maintenance (6)

3.7.1 Perform maintenance on organizational systems

3.7.2 Provide controls on maintenance tools

3.7.3 Ensure offsite equipment is sanitized

3.7.4 Check media for malicious code before use

3.7.5 Require MFA for nonlocal maintenance sessions

3.7.6 Supervise maintenance activities of non-cleared personnel

Media Protection (9)

3.8.1 Protect system media containing CUI

3.8.2 Limit access to CUI on system media

3.8.3 Sanitize or destroy media before disposal

3.8.4 Mark media with CUI markings

3.8.5 Control access to media and maintain accountability

3.8.6 Encrypt CUI on portable media

3.8.7 Control use of removable media

3.8.8 Prohibit unidentifiable portable storage devices

3.8.9 Protect confidentiality of backup CUI

Personnel Security (2)

3.9.1 Screen individuals prior to authorizing access

3.9.2 Ensure CUI is protected during personnel actions

Physical Protection (6)

3.10.1 Limit physical access to systems

3.10.2 Protect and monitor physical facility

3.10.3 Escort visitors and monitor visitor activity

3.10.4 Maintain audit logs of physical access

3.10.5 Control and manage physical access devices

3.10.6 Enforce safeguarding at alternate work sites

Risk Assessment (3)

3.11.1 Periodically assess risk to operations

3.11.2 Scan for vulnerabilities periodically

3.11.3 Remediate vulnerabilities per risk assessments

Security Assessment (4)

3.12.1 Periodically assess security controls

3.12.2 Develop and implement plans of action

3.12.3 Monitor security controls ongoing

3.12.4 Develop and update system security plans

System & Communications Protection (16)

3.13.1 Monitor communications at external boundaries

3.13.2 Employ architectural designs for effective security

3.13.3 Separate user and system management functionality

3.13.4 Prevent unauthorized information transfer

3.13.5 Implement subnetworks for public-facing components

3.13.6 Deny network traffic by default, allow by exception

3.13.7 Prevent split tunneling for remote devices

3.13.8 Implement cryptographic mechanisms for CUI in transit

3.13.9 Terminate network connections at end of sessions

3.13.10 Establish and manage cryptographic keys

3.13.11 Employ FIPS-validated cryptography for CUI

3.13.12 Prohibit remote activation of collaborative computing

3.13.13 Control and monitor use of mobile code

3.13.14 Control and monitor use of VoIP

3.13.15 Protect authenticity of communication sessions

3.13.16 Protect CUI at rest

System & Information Integrity (7)

3.14.1 Identify, report, and correct system flaws

3.14.2 Provide malicious code protection

3.14.3 Monitor security alerts and advisories

3.14.4 Update malicious code protection mechanisms

3.14.5 Perform periodic and real-time scans

3.14.6 Monitor inbound and outbound traffic

3.14.7 Identify unauthorized use of systems

All compliance frameworks · Browse categories

CyberEdge Learning

Get Certified in Cybersecurity

Master compliance frameworks like HIPAA, SOC 2, PCI DSS, and CMMC with expert-led courses and hands-on labs.

Explore Courses →