NIST 800-171

Summary

NIST Special Publication 800-171 named Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides agencies with recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) when the information is resident in nonfederal systems and organizations. The version used in this section is SP 800-171 revision 2, January 2021.

Definitions

Definition	Requirements
NIST800171-1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices	096. Set user's required privileges
NIST800171-1_4. Separate the duties of individuals	095. Define users with privileges
NIST800171-1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts	186. Use the principle of least privilege
NIST800171-1_7. Prevent non-privileged users from executing privileged functions	155. Application free of malicious code 095. Define users with privileges 096. Set user's required privileges
NIST800171-1_9. Provide privacy and security notices	225. Proper authentication responses
NIST800171-1_11. Terminate a user session after a defined condition	023. Terminate inactive user sessions
NIST800171-1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 338. Implement perfect forward secrecy
NIST800171-1_16. Authorize wireless access prior to allowing such connections	206. Configure communication protocols 253. Restrict network access
NIST800171-1_17. Protect wireless access using authentication and encryption	228. Authenticate using standard protocols 229. Request access credentials 235. Define credential interface 264. Request authentication
NIST800171-1_18. Control connection of mobile devices	155. Application free of malicious code 205. Configure PIN 206. Configure communication protocols 210. Delete information from mobile devices 213. Allow geographic location 273. Define a fixed security suite 353. Schedule firmware updates 354. Prevent firmware downgrades
NIST800171-1_19. Encrypt CUI on mobile devices and mobile computing platforms	026. Encrypt client-side session information
NIST800171-1_20. Verify and control/limit connections to and use of external systems	284. Define maximum number of connections
NIST800171-3_6. Provide audit record reduction	322. Avoid excessive logging 075. Record exceptional events in logs
NIST800171-3_7. Synchronizes internal system clocks with an authoritative source to generate time stamps for audit records	079. Record exact occurrence time of events
NIST800171-3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion	378. Use of log management system 080. Prevent log modification
NIST800171-3_9. Limit management of audit logging functionality to a subset of privileged users	096. Set user's required privileges
NIST800171-4_2. Establish and enforce security configuration settings for information technology products	266. Disable insecure functionalities 062. Define standard configurations
NIST800171-4_3. Track, review and log changes to organizational systems	376. Register severity level 075. Record exceptional events in logs
NIST800171-4_6. Employ the principle of least functionality and provide only essential capabilities	186. Use the principle of least privilege
NIST800171-4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services	255. Allow access only to the necessary ports
NIST800171-5_1. Identify system users, processes acting on behalf of users, and devices	143. Unique access credentials 351. Assign unique keys to each device
NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems	133. Passwords with at least 20 characters 138. Define lifespan for temporary passwords 140. Define OTP lifespan 229. Request access credentials 231. Implement a biometric verification component 096. Set user's required privileges
NIST800171-5_3. Use multifactor authentication for local and network access to privileged accounts	362. Assign MFA mechanisms to a single account
NIST800171-5_4. Employ replay-resistant authentication mechanisms	368. Use of indistinguishable response time
NIST800171-5_5. Prevent reuse of identifiers for a defined period	030. Avoid object reutilization
NIST800171-5_6. Disable identifiers after a defined period of inactivity	114. Deny access with inactive credentials 023. Terminate inactive user sessions 031. Discard user session data
NIST800171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created	130. Limit password lifespan 133. Passwords with at least 20 characters
NIST800171-5_9. Allow temporary password use for system logons with an immediate change to a permanent password	136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords
NIST800171-5_10. Store and transmit only cryptographically-protected passwords	134. Store passwords with salt 135. Passwords with random salt
NIST800171-5_11. Obscure feedback of authentication information	225. Proper authentication responses

Last updated

2023/09/18