NIST 800-171

Summary

NIST Special Publication 800-171 named Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides agencies with recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) when the information is resident in nonfederal systems and organizations. The version used in this section is SP 800-171 revision 2, January 2021.

Definitions

Definition	Requirements
1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices	096. Set user's required privileges
1_4. Separate the duties of individuals	095. Define users with privileges
1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts	186. Use the principle of least privilege
1_7. Prevent non-privileged users from executing privileged functions	095. Define users with privileges 096. Set user's required privileges 155. Application free of malicious code
1_9. Provide privacy and security notices	225. Proper authentication responses
1_11. Terminate a user session after a defined condition	023. Terminate inactive user sessions
1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 338. Implement perfect forward secrecy
1_16. Authorize wireless access prior to allowing such connections	206. Configure communication protocols 253. Restrict network access
1_17. Protect wireless access using authentication and encryption	228. Authenticate using standard protocols 229. Request access credentials 235. Define credential interface 264. Request authentication
1_18. Control connection of mobile devices	155. Application free of malicious code 205. Configure PIN 206. Configure communication protocols 210. Delete information from mobile devices 213. Allow geographic location 273. Define a fixed security suite 353. Schedule firmware updates 354. Prevent firmware downgrades
1_19. Encrypt CUI on mobile devices and mobile computing platforms	026. Encrypt client-side session information
1_20. Verify and control/limit connections to and use of external systems	284. Define maximum number of connections
3_6. Provide audit record reduction	075. Record exceptional events in logs 322. Avoid excessive logging
3_7. Synchronizes internal system clocks with an authoritative source to generate time stamps for audit records	079. Record exact occurrence time of events
3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion	080. Prevent log modification 378. Use of log management system
3_9. Limit management of audit logging functionality to a subset of privileged users	096. Set user's required privileges
4_2. Establish and enforce security configuration settings for information technology products	062. Define standard configurations 266. Disable insecure functionalities
4_3. Track, review and log changes to organizational systems	075. Record exceptional events in logs 376. Register severity level
4_6. Employ the principle of least functionality and provide only essential capabilities	186. Use the principle of least privilege
4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services	255. Allow access only to the necessary ports
5_1. Identify system users, processes acting on behalf of users, and devices	143. Unique access credentials 351. Assign unique keys to each device
5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems	096. Set user's required privileges 133. Passwords with at least 20 characters 138. Define lifespan for temporary passwords 140. Define OTP lifespan 229. Request access credentials 231. Implement a biometric verification component
5_3. Use multifactor authentication for local and network access to privileged accounts	362. Assign MFA mechanisms to a single account
5_4. Employ replay-resistant authentication mechanisms	368. Use of indistinguishable response time
5_5. Prevent reuse of identifiers for a defined period	030. Avoid object reutilization
5_6. Disable identifiers after a defined period of inactivity	023. Terminate inactive user sessions 031. Discard user session data 114. Deny access with inactive credentials
5_7. Enforce a minimum password complexity and change of characters when new passwords are created	130. Limit password lifespan 133. Passwords with at least 20 characters
5_9. Allow temporary password use for system logons with an immediate change to a permanent password	136. Force temporary password change 137. Change temporary passwords of third parties 138. Define lifespan for temporary passwords
5_10. Store and transmit only cryptographically-protected passwords	134. Store passwords with salt 135. Passwords with random salt
5_11. Obscure feedback of authentication information	225. Proper authentication responses

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.