Home Guides NIST SP 800-171 Step-by-Step Implementation Guide
🛡

NIST SP 800-171 Step-by-Step Implementation Guide

Framework: NIST SP 800-171

Download Assessment PDF

Comprehensive Implementation Guide for NIST SP 800-171 Revision 2

Ensuring the protection of Controlled Unclassified Information (CUI) is crucial for organizations, especially those contracting with the Department of Defense (DoD). NIST Special Publication (SP) 800-171 provides a framework for safeguarding CUI in non-federal systems. This guide offers a step-by-step approach to implementing NIST SP 800-171 Revision 2 (Rev. 2), tailored for organizations aiming to achieve compliance.

1. Understanding NIST SP 800-171

NIST SP 800-171 outlines security requirements for protecting CUI in non-federal systems. It complements NIST SP 800-53, which provides a broader set of controls for federal systems. Compliance with NIST SP 800-171 is mandated by the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, ensuring that defense contractors implement adequate security measures to protect CUI. Additionally, NIST SP 800-171 forms the foundation for the Cybersecurity Maturity Model Certification (CMMC) Level 2, which assesses the implementation of these controls.

NIST SP 800-171 Rev. 2 consists of 110 controls organized into 14 families. Each control has a specific objective, from access control to system integrity, aimed at protecting the confidentiality of CUI. These controls are applicable to any organization that processes, stores, or transmits CUI, making compliance a critical requirement for maintaining a trusted relationship with the DoD.

The document's requirements are tailored to fit into existing commercial infrastructures without significant modification, emphasizing the use of widely adopted practices and technologies. Organizations benefit by establishing or enhancing their security posture, reducing the risk of CUI breaches, and fulfilling contractual obligations with the DoD.

2. Revision 2 vs. Revision 3: Current Status and Transition Timeline

As of May 2026, NIST SP 800-171 Revision 2 remains the standard for compliance under DFARS 252.204-7012 and CMMC Level 2. Although NIST released Revision 3 in May 2024, the DoD issued a class deviation requiring contractors to continue adhering to Revision 2 to allow for a deliberate transition period. Organizations should monitor DoD communications for updates on the adoption timeline for Revision 3.

While Revision 3 introduces additional controls and refinements aimed at enhancing security measures, its standards have yet to be mandated by the DoD. The transition period allows organizations time to gradually implement new controls and understand evolving requirements. Starting early with planning and pilot implementations can better prepare organizations for eventual compliance with Revision 3, aligning with future DoD expectations.

Companies should engage in proactive communication with the DoD and relevant stakeholders to stay abreast of any changes in compliance requirements or deadlines. Building an adaptable compliance program allows for easier adjustments upon the transition to Revision 3.

3. Scoping: Identifying CUI and Defining System Boundaries

Effective implementation begins with accurately identifying CUI within your organization and defining the boundaries of the systems that process, store, or transmit this information. This scoping effort ensures that security resources are allocated efficiently and potential vulnerabilities are addressed thoroughly.

  • Identify CUI: Review contracts and agreements to determine the presence of CUI. The National Archives provides a CUI Registry to assist in identifying CUI categories. Communication with contracting officers and internal stakeholders is essential to accurately identify all CUI.
  • Define System Boundaries: Determine which systems handle CUI and establish clear boundaries. This may involve creating CUI enclaves—segregated environments dedicated to processing CUI—to limit the scope of compliance efforts. Each enclave should have well-defined, documented procedures for data handling, encryption, and access control to ensure compliance.

Defining system boundaries involves mapping data flow within your organization, identifying CUI custodians, and establishing accountability points for data protection. This process often requires collaboration across departments, consultation with IT and cybersecurity professionals, and possibly engaging external consultants for complex environments.

Regular reviews of system boundaries, guided by changes in technology or business processes, ensure ongoing alignment with compliance requirements and organizational objectives.

4. The 14 Control Families

NIST SP 800-171 Rev. 2 organizes security requirements into 14 families. Below is an overview of each family, including the number of controls, key requirements, and practical implementation guidance.

Control Family Number of Controls Key Requirements Implementation Guidance
Access Control (AC) 22
  • Limit system access to authorized users (3.1.1)
  • Control the flow of CUI within the system (3.1.3)
  • Implement role-based access controls; ensure that access is granted based on roles defined by least privilege, aligning access rights closely with job responsibilities.
  • Use firewalls to manage data flow and prevent unauthorized access between internal and external networks.
  • Apply network segmentation to isolate critical CUI from broader IT infrastructure.
Awareness and Training (AT) 3
  • Provide security awareness training (3.2.1)
  • Conduct regular training sessions that include interactive components like simulations and quizzes to reinforce learning.
  • Include phishing awareness by simulating phishing attacks and rewarding users who report them.
  • Evaluate training effectiveness through surveys and assessments, adjusting content to address known weaknesses or emerging threats.
Audit and Accountability (AU) 9
  • Create and retain system audit logs (3.3.1)
  • Use centralized logging solutions to collect, store, and analyze logs from across the IT environment.
  • Regularly review logs for anomalies and suspicious activities, utilizing automated tools that provide real-time alerting and reporting.
  • Define and implement policies for log retention to comply with regulatory and business continuity requirements.
Configuration Management (CM) 9
  • Establish baseline configurations (3.4.1)
  • Document system configurations and establish change control processes through Configuration Management Database (CMDB) tools.
  • Perform regular audits of configurations to ensure continuous alignment with baselines and detect unauthorized changes.
  • Leverage automated configuration management tools to streamline updates and reduce human error.
Identification and Authentication (IA) 11
  • Identify and authenticate users (3.5.1)
  • Implement multi-factor authentication (MFA) for all access points to enhance security by requiring additional verification methods beyond passwords.
  • Enforce strong password policies, including complexity requirements and regular expiration intervals.
  • Use biometric authentication technologies for critical systems to increase barriers against unauthorized access.
Incident Response (IR) 3
  • Establish an incident response capability (3.6.1)
  • Develop and test an incident response plan (IRP) detailing steps for identification, containment, eradication, recovery, and lessons learned.
  • Train staff on incident handling procedures through tabletop exercises and simulated incidents to improve readiness.
  • Engage with external incident response teams as necessary to augment internal capabilities and provide specialized expertise.
Maintenance (MA) 6
  • Perform maintenance on organizational systems (3.7.1)
  • Schedule regular system maintenance to prevent unexpected downtime and ensure system updates are applied in a timely fashion.
  • Document maintenance activities in logs detailing work performed, personnel involved, and any issues encountered.
  • Ensure that maintenance activities are conducted securely, whether on-premise or remotely, using secure channels and access control measures.
Media Protection (MP) 9
  • Protect CUI on media (3.8.1)
  • Use encryption for data at rest, ensuring sensitive information remains secure even if physical media is lost or stolen.
  • Implement media sanitization procedures for physical and digital media, following recognized standards for data destruction and reuse.
  • Limit access to physical media containing CUI and monitor their usage and storage closely.
Personnel Security (PS) 2
  • Screen individuals prior to system access (3.9.1)
  • Conduct background checks and continuous monitoring for individuals with access to sensitive information as part of hiring and employment retention processes.
  • Define personnel security policies that align with business operations and regulatory requirements to guide hiring and termination processes.
  • Provide security-focused onboarding and continuous education to maintain awareness and compliance with information security standards.
Physical Protection (PE) 6
  • Limit physical access to systems (3.10.1)
  • Implement access controls for facilities, such as keycards and biometric readers, ensuring only authorized personnel can enter sensitive areas.
  • Use surveillance systems and conduct regular audits of physical security measures to identify and rectify gaps.
  • Establish emergency procedures for situations where physical security may be compromised, ensuring timely response and recovery.
Risk Assessment (RA) 3
  • Periodically assess risk (3.11.1)
  • Conduct regular risk assessments using standardized methodologies to evaluate and prioritize threats and vulnerabilities.
  • Document risk mitigation strategies, updating policies and procedures as necessary to address new risks and incorporate best practices.
  • Engage cross-functional teams in risk assessment activities to ensure a comprehensive understanding of potential impacts.
Security Assessment (CA) 4
  • Develop and update security plans (3.12.1)
  • Maintain a System Security Plan (SSP) that clearly documents the current state of implemented security controls and plans for improvement.
  • Conduct self-assessments to verify compliance with established security controls and identify areas for enhancement.
  • Use findings from self-assessments to update security plans, incorporating feedback and addressing identified deficiencies.
System and Communications Protection (SC) 16
  • Monitor and control communications (3.13.1)
  • Implement network segmentation to manage and secure data flows between different organizational units or external partners.
  • Use encryption for data in transit, utilizing industry-standard protocols to protect information as it moves across networks.
  • Deploy intrusion detection and prevention systems (IDPS) to monitor traffic for suspicious activity and respond to potential breaches.
System and Information Integrity (SI) 7
  • Identify and correct system flaws (3.14.1)
  • Apply patches promptly, following a structured process for testing, deploying, and validating updates to ensure system integrity.
  • Monitor systems for vulnerabilities using automatic scanning tools that provide continuous threat assessment and alerting.
  • Develop a vulnerability management program that prioritizes remediation efforts based on risk assessment and business impact.

5. SPRS Scoring Methodology

The Supplier Performance Risk System (SPRS) requires organizations to self-assess their compliance with NIST SP 800-171 and submit a score. The scoring starts at 110 points, with deductions for each unmet requirement:

  • 5-point deductions: For high-impact controls, such as multi-factor authentication (3.5.3) and FIPS-validated encryption (3.13.11).
  • 3-point deductions: For medium-impact controls.
  • 1-point deductions: For low-impact controls.

Partial implementation of certain controls may result in smaller deductions. For example, implementing multi-factor authentication for remote and privileged users but not all users results in a 3-point deduction instead of 5. Detailed scoring guidance is available in the SPRS NIST SP 800-171 Assessment Methodology.

Effective compliance measurement via SPRS involves conducting thorough assessments with adequate documentation and evidence collection. Organizations must regularly review and update their self-assessment reports to maintain their SPRS scores and reflect improvements in control implementations.

6. System Security Plan (SSP)

An SSP is a comprehensive document detailing how your organization implements the security requirements of NIST SP 800-171. It should include:

  • System boundaries and architecture.
  • Implemented security controls.
  • Roles and responsibilities.
  • Interconnections with other systems.

Templates and further guidance can be found in NIST's SP 800-171A. The SSP should be treated as a living document, regularly updated to reflect the current cybersecurity posture and organizational changes. Regular SSP reviews ensure that all stakeholders are informed and prepared for potential audits or assessments.

7. Plan of Action and Milestones (POA&M)

A POA&M documents identified gaps in compliance, planned remediation actions, timelines, and resource allocations. It is critical for tracking progress toward compliance and understanding the broader context of security activities within the organization.

Regularly updating the POA&M helps stakeholders remain informed about ongoing efforts, priority shifts, and emerging challenges. This proactive management approach enhances coordination and accelerates remediation initiatives, fostering a culture of continuous improvement and diligence in protecting CUI.

8. Step-by-Step Implementation Roadmap

  1. Conduct a Gap Analysis: Compare current practices against NIST SP 800-171 requirements to identify deficiencies. Use a comprehensive checklist to assess each control family, documenting all findings and their potential impact on CUI protection.
  2. Develop an SSP: Document how each requirement is met or planned to be met. This includes detailing the technologies in use, procedural safeguards, and any compensating controls.
  3. Create a POA&M: Outline steps to address identified gaps, assign responsibilities, and set deadlines. Prioritize high-risk areas and allocate resources efficiently to ensure timely compliance.
  4. Implement Controls: Prioritize and apply security controls, starting with high-impact areas. Leverage project management methodologies to guide implementation, ensuring clarity, coordination, and focus.
  5. Train Personnel: Provide security awareness and role-specific training. Utilize diverse training formats such as lectures, workshops, and e-learning modules to accommodate different learning styles.
  6. Monitor and Assess: Continuously monitor systems and conduct periodic self-assessments. Establish Key Performance Indicators (KPIs) to evaluate the effectiveness of security measures and track improvements.
  7. Update Documentation: Regularly revise the SSP and POA&M to reflect current practices and compliance status. Ensure that documentation reflects operational realities, encourages accountability, and supports strategic security objectives.

9. Common Gaps Found in Assessments

Common deficiencies include:

  • Lack of Multi-factor Authentication: Often found due to oversight or technical challenges, MFA is crucial for safeguarding access to sensitive systems.
  • Incomplete or Outdated SSPs: Regular updates and thorough reviews are often lacking, reducing an organization's ability to demonstrate resilience and compliance.
  • Insufficient Audit Logging and Monitoring: Without comprehensive logs and real-time monitoring, organizations are at a disadvantage in detecting and mitigating breaches early.
  • Unpatched System Vulnerabilities: Failure to maintain current patch levels leaves systems susceptible to known exploits.
  • Inadequate Incident Response Plans: Lack of a robust, actionable incident response plan hampers an organization’s ability to effectively manage and learn from security incidents.

10. Tools and Technologies That Help

Implementing NIST SP 800-171 can be facilitated by various tools, such as:

  • Security Information and Event Management (SIEM) Systems: For centralized logging and monitoring, helping to identify trends and potential threats.
  • Vulnerability Scanners: To identify and remediate system weaknesses. Regular vulnerability scans can offer insights into potential attack vectors and prioritize remediation efforts.
  • Configuration Management Tools: To maintain system baselines and manage changes, ensuring a stable and secure IT environment.
  • Identity and Access Management (IAM) Solutions: To enforce access controls and authentication mechanisms, these solutions streamline identity lifecycle management and enhance security.

By adopting a combination of these tools, organizations can build a robust infrastructure that offers comprehensive protection against a wide range of cybersecurity threats, aligning with NIST SP 800-171 requirements.

11. Relationship to CMMC 2.0 Level 2

CMMC 2.0 Level 2 aligns directly with NIST SP 800-171 Rev. 2, requiring organizations to implement all 110 controls. Achieving compliance with NIST SP 800-171 positions organizations to meet CMMC Level 2 requirements, which is essential for handling CUI in DoD contracts.

CMMC prioritizes the verification of security control implementations, demanding rigorous assessments to certify compliance. Organizations should coordinate with CMMC auditors, addressing both technical and procedural aspects of control implementation.

By adhering to NIST SP 800-171 standards, organizations not only secure their information but also enhance their prospects of obtaining and retaining contracts with defense agencies, ensuring a competitive advantage in the aerospace and defense sector.

References & Further Reading

By following this guide, organizations can systematically implement NIST SP 800-171 Rev. 2, ensuring the protection of CUI and compliance with DoD requirements.

Compliance Assessment Checklist

48 questions across 14 control domains

Download Printable PDF

Access Control

3.1
5 questions
Q1
Do you limit system access to authorized users, processes acting on behalf of authorized users, and devices?
3.1.1
A 'Yes' response indicates that access controls are in place to ensure only authorized entities can access the system. Evidence includes access control policies, user access lists, and system configuration settings.
Q2
Do you restrict users to only the transactions and functions they are permitted to execute?
3.1.2
A 'Yes' response signifies that role-based access controls are implemented, limiting users to their authorized activities. Evidence includes role definitions, access control matrices, and audit logs.
Q3
Do you monitor and control remote access sessions?
3.1.12
A 'Yes' response means that remote access is actively monitored and controlled. Evidence includes remote access logs, monitoring reports, and remote access policies.
Q4
Do you use session lock mechanisms to prevent unauthorized access when users are inactive?
3.1.20
A 'Yes' response indicates that session locks are enforced after a period of inactivity. Evidence includes system configuration settings and session lock policies.
Q5
Do you control information posted or processed on publicly accessible systems?
3.1.22
A 'Yes' response means that measures are in place to prevent unauthorized information disclosure on public systems. Evidence includes content management policies and review procedures.

Awareness and Training

3.2
3 questions
Q6
Do you ensure that all users are aware of the security risks associated with their activities?
3.2.1
A 'Yes' response indicates that security awareness training is provided to all users. Evidence includes training materials, attendance records, and training schedules.
Q7
Do you provide role-based security training to personnel with significant security responsibilities?
3.2.2
A 'Yes' response signifies that specialized training is given to personnel with security roles. Evidence includes training curricula, completion certificates, and role definitions.
Q8
Do you ensure that personnel are trained to recognize and report potential security incidents?
3.2.3
A 'Yes' response means that incident reporting training is provided. Evidence includes training records, incident reporting procedures, and communication logs.

Audit and Accountability

3.3
4 questions
Q9
Do you create and retain system audit logs to monitor user activity?
3.3.1
A 'Yes' response indicates that audit logs are generated and maintained. Evidence includes audit log configurations, retention policies, and sample logs.
Q10
Do you ensure that audit logs are protected from unauthorized access, modification, and deletion?
3.3.2
A 'Yes' response signifies that safeguards are in place to protect audit logs. Evidence includes access control settings, integrity checks, and backup procedures.
Q11
Do you regularly review and analyze audit logs for indications of inappropriate or unusual activity?
3.3.3
A 'Yes' response means that audit logs are periodically reviewed. Evidence includes review schedules, analysis reports, and documented follow-up actions.
Q12
Do you alert appropriate personnel in the event of audit processing failures?
3.3.4
A 'Yes' response indicates that mechanisms are in place to notify personnel of audit failures. Evidence includes alert configurations, notification logs, and incident response procedures.

Configuration Management

3.4
4 questions
Q13
Do you establish and maintain baseline configurations for your systems?
3.4.1
A 'Yes' response signifies that baseline configurations are defined and maintained. Evidence includes configuration management plans, baseline documents, and change logs.
Q14
Do you enforce security configuration settings for information technology products employed in your systems?
3.4.2
A 'Yes' response means that security configurations are applied and enforced. Evidence includes configuration guides, compliance checklists, and audit results.
Q15
Do you track, review, approve, and log changes to your systems?
3.4.3
A 'Yes' response indicates that a formal change management process is in place. Evidence includes change requests, approval records, and change logs.
Q16
Do you analyze the security impact of changes prior to implementation?
3.4.4
A 'Yes' response signifies that security impact analyses are conducted before changes are made. Evidence includes impact analysis reports, risk assessments, and approval records.

Identification and Authentication

3.5
4 questions
Q17
Do you identify and authenticate users before granting system access?
3.5.1
A 'Yes' response indicates that user identification and authentication mechanisms are in place. Evidence includes authentication policies, user credentials, and access logs.
Q18
Do you use multifactor authentication for network access to privileged accounts?
3.5.2
A 'Yes' response signifies that multifactor authentication is required for privileged access. Evidence includes authentication configurations, policy documents, and access logs.
Q19
Do you enforce password complexity and expiration requirements?
3.5.3
A 'Yes' response means that password policies enforce complexity and expiration. Evidence includes password policy documents, system settings, and compliance reports.
Q20
Do you prohibit the reuse of passwords within a specified number of generations?
3.5.4
A 'Yes' response indicates that password reuse is restricted. Evidence includes password history settings, policy documents, and system configurations.

Incident Response

3.6
3 questions
Q21
Do you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities?
3.6.1
A 'Yes' response signifies that a comprehensive incident response plan is in place. Evidence includes the incident response plan, training records, and incident reports.
Q22
Do you track, document, and report incidents to appropriate officials and/or authorities?
3.6.2
A 'Yes' response means that incidents are formally documented and reported. Evidence includes incident logs, reporting procedures, and communication records.
Q23
Do you test your incident response capability at least annually?
3.6.3
A 'Yes' response indicates that incident response plans are tested regularly. Evidence includes test plans, test results, and lessons learned documentation.

Maintenance

3.7
3 questions
Q24
Do you perform regular maintenance on your systems?
3.7.1
A 'Yes' response signifies that systems are maintained according to a schedule. Evidence includes maintenance logs, schedules, and maintenance procedures.
Q25
Do you control and monitor the use of maintenance tools?
3.7.2
A 'Yes' response means that maintenance tools are managed securely. Evidence includes tool inventories, access logs, and monitoring reports.
Q26
Do you ensure that maintenance personnel are supervised when performing maintenance activities?
3.7.3
A 'Yes' response indicates that maintenance activities are supervised. Evidence includes supervision logs, visitor access records, and maintenance policies.

Media Protection

3.8
3 questions
Q27
Do you protect information on media during transport outside of controlled areas?
3.8.1
A 'Yes' response signifies that media is secured during transport. Evidence includes transport policies, encryption procedures, and transport logs.
Q28
Do you sanitize or destroy media containing CUI before disposal or reuse?
3.8.2
A 'Yes' response means that media is properly sanitized or destroyed. Evidence includes sanitization procedures, destruction logs, and policy documents.
Q29
Do you limit access to CUI on media to authorized users?
3.8.3
A 'Yes' response indicates that media access is restricted. Evidence includes access control lists, authorization records, and access logs.

Personnel Security

3.9
2 questions
Q30
Do you screen individuals prior to authorizing access to systems containing CUI?
3.9.1
A 'Yes' response signifies that background checks are conducted. Evidence includes screening policies, background check records, and access authorization documents.
Q31
Do you ensure that CUI is removed from systems before individuals are terminated or transferred?
3.9.2
A 'Yes' response means that CUI is secured during personnel changes. Evidence includes termination procedures, transfer checklists, and access revocation records.

Physical Protection

3.10
3 questions
Q32
Do you limit physical access to systems containing CUI to authorized individuals?
3.10.1
A 'Yes' response indicates that physical access controls are in place. Evidence includes access control policies, access logs, and physical security measures.
Q33
Do you escort visitors and monitor visitor activity?
3.10.2
A 'Yes' response signifies that visitor access is controlled and monitored. Evidence includes visitor logs, escort procedures, and monitoring records.
Q34
Do you maintain audit logs of physical access?
3.10.3
A 'Yes' response means that physical access is logged. Evidence includes access logs, monitoring reports, and audit procedures.

Risk Assessment

3.11
3 questions
Q35
Do you periodically assess the risk to organizational operations, assets, and individuals?
3.11.1
A 'Yes' response indicates that risk assessments are conducted regularly. Evidence includes risk assessment reports, methodologies, and schedules.
Q36
Do you scan for vulnerabilities in your systems and applications periodically and when new vulnerabilities are identified?
3.11.2
A 'Yes' response signifies that vulnerability scanning is performed. Evidence includes scan reports, schedules, and remediation records.
Q37
Do you remediate vulnerabilities in accordance with risk assessments?
3.11.3
A 'Yes' response means that identified vulnerabilities are addressed based on risk. Evidence includes remediation plans, risk assessment reports, and change logs.

Security Assessment

3.12
4 questions
Q38
Do you periodically assess the security controls in your systems to determine their effectiveness?
3.12.1
A 'Yes' response indicates that security control assessments are conducted. Evidence includes assessment reports, methodologies, and schedules.
Q39
Do you develop and implement plans of action to correct deficiencies and reduce vulnerabilities?
3.12.2
A 'Yes' response signifies that POA&Ms are used to address security gaps. Evidence includes POA&M documents, remediation plans, and tracking records.
Q40
Do you monitor security controls on an ongoing basis to ensure their effectiveness?
3.12.3
A 'Yes' response means that continuous monitoring is performed. Evidence includes monitoring reports, logs, and review schedules.
Q41
Do you develop, document, and maintain a system security plan (SSP) that describes system boundaries, operational environment, and security requirements?
3.12.4
A 'Yes' response indicates that an SSP is in place and up to date. Evidence includes the SSP document, update logs, and approval records.

System and Communications Protection

3.13
4 questions
Q42
Do you monitor, control, and protect communications at external boundaries and key internal boundaries of your systems?
3.13.1
A 'Yes' response signifies that boundary protections are implemented. Evidence includes network diagrams, firewall configurations, and monitoring logs.
Q43
Do you employ cryptographic methods to protect CUI during transmission?
3.13.2
A 'Yes' response means that encryption is used for transmitting CUI. Evidence includes encryption policies, configurations, and transmission logs.
Q44
Do you implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks?
3.13.5
A 'Yes' response indicates that demilitarized zones (DMZs) or similar architectures are used. Evidence includes network architecture diagrams, configurations, and access control policies.
Q45
Do you employ FIPS-validated cryptography when protecting CUI?
3.13.11
A 'Yes' response signifies that FIPS-validated cryptographic modules are used. Evidence includes cryptographic module certificates, configurations, and policy documents.

System and Information Integrity

3.14
3 questions
Q46
Do you identify, report, and correct system flaws in a timely manner?
3.14.1
A 'Yes' response indicates that a process exists for managing system flaws. Evidence includes flaw remediation procedures, reports, and timelines.
Q47
Do you provide protection from malicious code at appropriate locations within your systems?
3.14.2
A 'Yes' response signifies that anti-malware measures are in place. Evidence includes anti-malware policies, software configurations, and scan logs.
Q48
Do you monitor system security alerts and advisories and take appropriate actions in response?
3.14.3
A 'Yes' response means that security alerts are actively monitored and addressed. Evidence includes monitoring procedures, alert logs, and response records.