About NIST SP 800-171
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,"
provides security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations.
This publication is the foundation for CMMC Level 2 compliance and is required for defense contractors handling CUI.
Key Points:
-
•
110 security requirements across 14 control families
-
•
Required for CMMC Level 2 compliance
-
•
Applies to all systems that process, store, or transmit CUI
-
•
Must be implemented before CMMC assessment
NIST 800-171 Control Families
Access Control (AC)
Limit information system access to authorized users, processes acting on behalf of authorized users, and devices.
Key Requirements:
- • AC.3.1.1: Authorize access to the system
- • AC.3.1.2: Control the flow of CUI
- • AC.3.1.3: Separate duties of individuals
- • AC.3.1.4: Limit unsuccessful logon attempts
- • AC.3.1.5: Use session lock with pattern-hiding displays
Implementation Tips:
- • Implement role-based access control (RBAC)
- • Use multi-factor authentication (MFA)
- • Configure account lockout policies
- • Enable session timeouts
- • Regular access reviews and recertification
Awareness and Training (AT)
Ensure that managers and users of organizational information systems are made aware of the security risks.
Key Requirements:
- • AT.3.1.1: Provide basic security awareness training
- • AT.3.1.2: Provide role-based security training
- • AT.3.1.3: Provide security training before authorizing access
- • AT.3.1.4: Provide refresher training
- • AT.3.1.5: Simulate social engineering attacks
Implementation Tips:
- • Develop comprehensive training program
- • Conduct regular phishing simulations
- • Document all training activities
- • Measure training effectiveness
- • Provide role-specific training
Audit and Accountability (AU)
Create, protect, and retain information system audit records to enable monitoring, analysis, investigation, and reporting.
Key Requirements:
- • AU.3.1.1: Create and retain audit logs
- • AU.3.1.2: Ensure audit logs are complete and accurate
- • AU.3.1.3: Protect audit information and tools
- • AU.3.1.4: Review and update audit logs
- • AU.3.1.5: Respond to audit processing failures
Implementation Tips:
- • Implement centralized logging
- • Use SIEM for log analysis
- • Secure audit logs from tampering
- • Regular log review and analysis
- • Automated alerting for security events
Configuration Management (CM)
Establish and maintain baseline configurations and inventories of organizational information systems.
Key Requirements:
- • CM.3.1.1: Establish baseline configurations
- • CM.3.1.2: Establish and maintain configuration management
- • CM.3.1.3: Restrict, disable, or prevent use of nonessential programs
- • CM.3.1.4: Control and monitor user-installed software
- • CM.3.1.5: Establish and maintain secure configurations
Implementation Tips:
- • Use configuration management tools
- • Implement change control processes
- • Regular configuration audits
- • Software whitelisting/blacklisting
- • Secure configuration baselines
Identification and Authentication (IA)
Identify information system users, processes acting on behalf of users, and devices.
Key Requirements:
- • IA.3.1.1: Identify and authenticate users
- • IA.3.1.2: Identify and authenticate devices
- • IA.3.1.3: Use multifactor authentication
- • IA.3.1.4: Employ replay-resistant authentication
- • IA.3.1.5: Prevent reuse of identifiers
Implementation Tips:
- • Implement strong password policies
- • Use multi-factor authentication (MFA)
- • Device authentication and management
- • Regular credential rotation
- • Account lockout and recovery procedures
Incident Response (IR)
Establish an operational incident response capability for organizational information systems.
Key Requirements:
- • IR.3.1.1: Establish incident response capability
- • IR.3.1.2: Track, document, and report incidents
- • IR.3.1.3: Test incident response capability
- • IR.3.1.4: Provide incident response training
- • IR.3.1.5: Implement incident response plan
Implementation Tips:
- • Develop comprehensive incident response plan
- • Establish incident response team
- • Regular incident response exercises
- • Document and learn from incidents
- • Coordinate with external parties
Maintenance (MA)
Perform maintenance on organizational information systems.
Key Requirements:
- • MA.3.1.1: Perform maintenance on information systems
- • MA.3.1.2: Provide maintenance personnel with access
- • MA.3.1.3: Supervise maintenance activities
- • MA.3.1.4: Require maintenance personnel to be authorized
- • MA.3.1.5: Secure maintenance tools
Implementation Tips:
- • Establish maintenance procedures
- • Control access to maintenance personnel
- • Supervise maintenance activities
- • Secure maintenance tools and media
- • Document all maintenance activities
Media Protection (MP)
Protect information system media, both paper and digital.
Key Requirements:
- • MP.3.1.1: Protect information system media
- • MP.3.1.2: Limit access to information on portable media
- • MP.3.1.3: Sanitize or destroy information system media
- • MP.3.1.4: Mark media with necessary information
- • MP.3.1.5: Control access to media
Implementation Tips:
- • Implement media handling procedures
- • Encrypt portable media
- • Secure media storage and disposal
- • Media labeling and tracking
- • Regular media sanitization
Personnel Security (PS)
Ensure that individuals occupying positions of responsibility are trustworthy.
Key Requirements:
- • PS.3.1.1: Screen individuals prior to authorizing access
- • PS.3.1.2: Ensure that individuals occupying positions of responsibility
- • PS.3.1.3: Terminate access when employment ends
- • PS.3.1.4: Require individuals to sign nondisclosure agreements
- • PS.3.1.5: Require individuals to complete security training
Implementation Tips:
- • Implement background check procedures
- • Establish personnel security policies
- • Regular access reviews
- • Nondisclosure agreements
- • Security training requirements
Physical Protection (PE)
Limit physical access to information systems, equipment, and operating environments.
Key Requirements:
- • PE.3.1.1: Limit physical access to information systems
- • PE.3.1.2: Protect and monitor the physical facility
- • PE.3.1.3: Escort visitors and monitor visitor activity
- • PE.3.1.4: Maintain audit logs of physical access
- • PE.3.1.5: Control and monitor physical access
Implementation Tips:
- • Implement physical access controls
- • Use security cameras and monitoring
- • Visitor management procedures
- • Physical access logging
- • Secure equipment storage
Risk Assessment (RA)
Periodically assess the risk to organizational operations, assets, and individuals.
Key Requirements:
- • RA.3.1.1: Periodically assess the risk to organizational operations
- • RA.3.1.2: Scan for vulnerabilities in the information system
- • RA.3.1.3: Remediate vulnerabilities in accordance with risk assessments
- • RA.3.1.4: Update security control assessments
- • RA.3.1.5: Monitor the information system for security events
Implementation Tips:
- • Conduct regular risk assessments
- • Implement vulnerability scanning
- • Establish risk remediation procedures
- • Regular security control assessments
- • Continuous monitoring and alerting
Security Assessment (CA)
Periodically assess the security controls in organizational information systems.
Key Requirements:
- • CA.3.1.1: Periodically assess the security controls
- • CA.3.1.2: Develop, document, and periodically update system security plans
- • CA.3.1.3: Monitor security control assessments
- • CA.3.1.4: Develop, document, and periodically update system security plans
- • CA.3.1.5: Develop, document, and periodically update system security plans
Implementation Tips:
- • Regular security control assessments
- • Develop and maintain security plans
- • Monitor assessment activities
- • Document security control implementations
- • Continuous improvement processes
System and Communications Protection (SC)
Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries.
Key Requirements:
- • SC.3.1.1: Monitor, control, and protect communications
- • SC.3.1.2: Employ architectural designs, software development techniques
- • SC.3.1.3: Separate user functionality from system management functionality
- • SC.3.1.4: Prevent unauthorized and unintended information transfer
- • SC.3.1.5: Implement subnetworks for publicly accessible system components
Implementation Tips:
- • Implement network segmentation
- • Use firewalls and intrusion detection
- • Secure communications protocols
- • Network monitoring and logging
- • Regular security testing
System and Information Integrity (SI)
Identify, report, and correct information and information system flaws in a timely manner.
Key Requirements:
- • SI.3.1.1: Identify, report, and correct information and information system flaws
- • SI.3.1.2: Provide protection from malicious code at appropriate locations
- • SI.3.1.3: Monitor system security alerts and advisories
- • SI.3.1.4: Monitor system security alerts and advisories
- • SI.3.1.5: Monitor system security alerts and advisories
Implementation Tips:
- • Implement vulnerability management
- • Use antivirus and antimalware solutions
- • Monitor security alerts and advisories
- • Regular security updates and patches
- • Incident response and remediation
Need Help with NIST 800-171 Implementation?
Get expert guidance on implementing NIST 800-171 requirements for CMMC Level 2 compliance.
Schedule Free Consultation