Compliance Reference

NIST 800-171 Requirements

All 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems, organized by family with CMMC practice mappings.

3.1 Access Control 22

3.1.1 Account Management → AC.L1-3.1.1 3.1.2 Access Enforcement → AC.L1-3.1.2 3.1.3 Information Flow Enforcement → AC.L2-3.1.3 3.1.4 Separation of Duties → AC.L2-3.1.4 3.1.5 Least Privilege → AC.L2-3.1.5 3.1.6 Least Privilege – Privileged Accounts → AC.L2-3.1.6 3.1.7 Least Privilege – Privileged Functions → AC.L2-3.1.7 3.1.8 Unsuccessful Logon Attempts → AC.L2-3.1.8 3.1.9 System Use Notification → AC.L2-3.1.9 3.1.10 Device Lock → AC.L2-3.1.10 3.1.11 Session Termination → AC.L2-3.1.11 3.1.12 Remote Access → AC.L2-3.1.12 3.1.13 Employ Cryptographic Mechanisms to Protect the Confidentiality of Remote Access Sessions → AC.L2-3.1.13 3.1.14 Route Remote Access via Managed Access Control Points → AC.L2-3.1.14 3.1.15 Authorize Remote Execution of Privileged Commands and Remote Access to Security-Relevant Information → AC.L2-3.1.15 3.1.16 Wireless Access → AC.L2-3.1.16 3.1.17 Protect Wireless Access Using Authentication and Encryption → AC.L2-3.1.17 3.1.18 Access Control for Mobile Devices → AC.L2-3.1.18 3.1.19 Encrypt CUI on Mobile Devices and Mobile Computing Platforms → AC.L2-3.1.19 3.1.20 Use of External Systems → AC.L1-3.1.20 3.1.21 Limit Use of Portable Storage Devices on External Systems → AC.L2-3.1.21 3.1.22 Publicly Accessible Content → AC.L1-3.1.22

3.2 Awareness and Training 3

3.2.1 Literacy Training and Awareness → AT.L2-3.2.1 3.2.2 Role-Based Training → AT.L2-3.2.2 3.2.3 Provide Security Awareness Training on Recognizing and Reporting Potential Indicators of Insider Threat → AT.L2-3.2.3

3.3 Audit and Accountability 9

3.3.1 Event Logging → AU.L2-3.3.1 3.3.2 Audit Record Content → AU.L2-3.3.2 3.3.3 Audit Record Generation → AU.L2-3.3.3 3.3.4 Response to Audit Logging Process Failures → AU.L2-3.3.4 3.3.5 Audit Record Review, Analysis, and Reporting → AU.L1-3.3.5 3.3.6 Audit Record Reduction and Report Generation → AU.L2-3.3.6 3.3.7 Time Stamps → AU.L2-3.3.7 3.3.8 Protection of Audit Information → AU.L2-3.3.8 3.3.9 Provide a System Capability That Compares and Synchronizes Internal System Clocks → AU.L2-3.3.9

3.4 Configuration Management 9

3.4.1 Baseline Configuration → CM.L1-3.4.1 3.4.2 Configuration Settings → CM.L1-3.4.2 3.4.3 Configuration Change Control → CM.L2-3.4.3 3.4.4 Impact Analyses → CM.L2-3.4.4 3.4.5 Access Restrictions for Change → CM.L2-3.4.5 3.4.6 Least Functionality → CM.L2-3.4.6 3.4.7 Restrict, Disable, or Prevent the Use of Nonessential Programs, Functions, Ports, Protocols, and Services → CM.L2-3.4.7 3.4.8 Authorized Software – Allow by Exception → CM.L2-3.4.8 3.4.9 Control and Monitor User-Installed Software → CM.L2-3.4.9

3.5 Identification and Authentication 11

3.5.1 User Identification and Authentication → IA.L1-3.5.1 3.5.2 Device Identification and Authentication → IA.L1-3.5.2 3.5.3 Multi-Factor Authentication → IA.L2-3.5.3 3.5.4 Replay-Resistant Authentication → IA.L2-3.5.4 3.5.5 Identifier Management → IA.L2-3.5.5 3.5.6 Disable Identifier After a Defined Period of Inactivity → IA.L2-3.5.6 3.5.7 Password Management → IA.L1-3.5.7 3.5.8 Implement Replay-Resistant Authentication Mechanisms for Network Access to Non-Privileged Accounts → IA.L2-3.5.8 3.5.9 Allow Temporary Password Use for System Logons with an Immediate Change to a Permanent Password → IA.L2-3.5.9 3.5.10 Store and Transmit Only Cryptographically-Protected Passwords → IA.L2-3.5.10 3.5.11 Authentication Feedback → IA.L2-3.5.11

3.6 Incident Response 3

3.6.1 Incident Handling → IR.L2-3.6.1 3.6.2 Incident Monitoring, Reporting, and Response Assistance → IR.L2-3.6.2 3.6.3 Incident Response Testing → IR.L2-3.6.3

3.7 Maintenance 6

3.7.1 Perform Maintenance on Organizational Systems → MA.L2-3.7.1 3.7.2 Provide Controls on the Tools, Techniques, Mechanisms, and Personnel Used to Conduct System Maintenance → MA.L2-3.7.2 3.7.3 Ensure Equipment Removed for Off-Site Maintenance Is Sanitized of Any CUI → MA.L2-3.7.3 3.7.4 Maintenance Tools → MA.L2-3.7.4 3.7.5 Nonlocal Maintenance → MA.L2-3.7.5 3.7.6 Maintenance Personnel → MA.L2-3.7.6

3.8 Media Protection 9

3.8.1 Media Storage → MP.L2-3.8.1 3.8.2 Media Access → MP.L2-3.8.2 3.8.3 Media Sanitization → MP.L1-3.8.3 3.8.4 Media Marking → MP.L2-3.8.4 3.8.5 Media Transport → MP.L2-3.8.5 3.8.6 Implement Cryptographic Mechanisms to Protect the Confidentiality of CUI Stored on Digital Media During Transport → MP.L2-3.8.6 3.8.7 Media Use → MP.L2-3.8.7 3.8.8 Prohibit the Use of Portable Storage Devices When Such Devices Have No Identifiable Owner → MP.L2-3.8.8 3.8.9 System Backup – Cryptographic Protection → MP.L2-3.8.9

3.9 Personnel Security 2

3.9.1 Personnel Screening → PS.L2-3.9.1 3.9.2 Personnel Termination and Transfer → PS.L2-3.9.2

3.10 Physical Protection 6

3.10.1 Physical Access Authorizations → PE.L1-3.10.1 3.10.2 Monitoring Physical Access → PE.L2-3.10.2 3.10.3 Escort Visitors and Monitor Visitor Activity → PE.L1-3.10.3 3.10.4 Maintain Audit Logs of Physical Access → PE.L1-3.10.4 3.10.5 Control and Manage Physical Access Devices → PE.L1-3.10.5 3.10.6 Alternate Work Site → PE.L2-3.10.6

3.11 Risk Assessment 3

3.11.1 Risk Assessment → RA.L2-3.11.1 3.11.2 Vulnerability Monitoring and Scanning → RA.L2-3.11.2 3.11.3 Remediate Vulnerabilities in Accordance with Risk Assessments → RA.L2-3.11.3

3.12 Security Assessment and Monitoring 4

3.12.1 Security Assessment → CA.L2-3.12.1 3.12.2 Plan of Action and Milestones → CA.L2-3.12.2 3.12.3 Continuous Monitoring → CA.L2-3.12.3 3.12.4 Develop, Document, and Periodically Update System Security Plans → CA.L2-3.12.4

3.13 System and Communications Protection 16

3.13.1 Boundary Protection → SC.L1-3.13.1 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security → SC.L2-3.13.2 3.13.3 Separate User Functionality from System Management Functionality → SC.L2-3.13.3 3.13.4 Information in Shared System Resources → SC.L2-3.13.4 3.13.5 Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks → SC.L2-3.13.5 3.13.6 Network Communications – Deny by Default – Allow by Exception → SC.L2-3.13.6 3.13.7 Prevent Remote Devices from Simultaneously Establishing Non-Remote Connections with Organizational Systems and Communicating via Some Other Connection to Resources in External Networks (Split Tunneling) → SC.L2-3.13.7 3.13.8 Transmission and Storage Confidentiality → SC.L2-3.13.8 3.13.9 Network Disconnect → SC.L2-3.13.9 3.13.10 Cryptographic Key Establishment and Management → SC.L2-3.13.10 3.13.11 Cryptographic Protection → SC.L2-3.13.11 3.13.12 Collaborative Computing Devices and Applications → SC.L2-3.13.12 3.13.13 Mobile Code → SC.L2-3.13.13 3.13.14 Control and Monitor the Use of Voice over Internet Protocol (VoIP) Technologies → SC.L2-3.13.14 3.13.15 Session Authenticity → SC.L2-3.13.15 3.13.16 Protect the Confidentiality of CUI at Rest → SC.L2-3.13.16

3.14 System and Information Integrity 7

3.14.1 Flaw Remediation → SI.L1-3.14.1 3.14.2 Malicious Code Protection → SI.L2-3.14.2 3.14.3 Security Alerts, Advisories, and Directives → SI.L2-3.14.3 3.14.4 Update Malicious Code Protection Mechanisms When New Releases Are Available → SI.L2-3.14.4 3.14.5 Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources → SI.L2-3.14.5 3.14.6 System Monitoring → SI.L2-3.14.6 3.14.7 Identify Unauthorized Use of Organizational Systems → SI.L2-3.14.7