NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.1: Access Control
Controls
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement…
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes…
3.1.3: Control the flow of CUI in accordance with approved authorizations
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control…
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of…
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle…
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion…
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non- privileged users…
3.1.8: Limit unsuccessful logon attempts
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to…
3.1.9: Provide privacy and security notices consistent with applicable CUI rules
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use…
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks…
3.1.11: Terminate (automatically) a user session after a defined condition
This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical…
3.1.12: Monitor and control remote access sessions
Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access…
3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
3.1.14: Route remote access via managed access control points
Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.
3.1.15: Authorize remote execution of privileged commands and remote access to security-relevant information
A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security- relevant…
3.1.16: Authorize wireless access prior to allowing such connections
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions…
3.1.17: Protect wireless access using authentication and encryption
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention…
3.1.18: Control connection of mobile devices
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile devices…
3.1.19: Encrypt CUI on mobile devices and mobile computing platforms
Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based…
3.1.20: Verify and control/limit connections to and use of external systems
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems…
3.1.21: Limit use of portable storage devices on external systems
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that…
3.1.22: Control CUI posted or processed on publicly accessible systems
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement…