FrameworksNIST 800-171 Rev.3
control catalogvRev. 3Published
NIST SP 800-171 Rev. 3
NIST 800-171 Rev.3
NIST SP 800-171 provides requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Rev. 3 restructured requirements and added organization-defined parameters. It is the basis for CMMC Level 2.
Issuing Body
National Institute of Standards and Technology (NIST)
Version
Rev. 3
Published
2024-05-14
Controls
16
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| NIST171-3.1.1 | Authorized Access Control Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). | — | managed |
| NIST171-3.1.2 | Transaction and Function Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. | — | managed |
| NIST171-3.1.3 | Control CUI Flow Control the flow of CUI in accordance with approved authorizations. | — | managed |
| NIST171-3.1.5 | Least Privilege Employ the principle of least privilege, including for specific security functions and privileged accounts. | — | managed |
| NIST171-3.1.12 | Remote Access Control Monitor and control remote access sessions. | — | managed |
| NIST171-3.3.1 | System Auditing Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | — | managed |
| NIST171-3.3.2 | User Accountability Ensure that the actions of individual system users can be traced to those users so they can be held accountable for their actions. | — | managed |
| NIST171-3.4.1 | System Baselining Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles. | — | managed |
| NIST171-3.4.2 | Security Configuration Enforcement Establish and enforce security configuration settings for information technology products employed in organizational systems. | — | managed |
| NIST171-3.5.3 | Multi-Factor Authentication Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | — | managed |
| NIST171-3.6.1 | Incident Handling Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. | — | managed |
| NIST171-3.11.1 | Risk Assessment Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. | — | managed |
| NIST171-3.13.1 | Boundary Protection Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems. | — | managed |
| NIST171-3.13.8 | Transmission Confidentiality Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | — | managed |
| NIST171-3.14.1 | Flaw Remediation Identify, report, and correct information and information system flaws in a timely manner. | — | managed |
| NIST171-3.14.2 | Malicious Code Protection Provide protection from malicious code at appropriate locations within organizational systems. | — | managed |