Skip to main content

NIST 800-171

logo

Summary

NIST Special Publication 800-171 named Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides agencies with recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI) when the information is resident in nonfederal systems and organizations. The version used in this section is SP 800-171 revision 2, January 2021.

Definitions

DefinitionRequirements
1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices
096. Set user's required privileges
1_4. Separate the duties of individuals
095. Define users with privileges
1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts
186. Use the principle of least privilege
1_7. Prevent non-privileged users from executing privileged functions
095. Define users with privileges
096. Set user's required privileges
155. Application free of malicious code
1_9. Provide privacy and security notices
225. Proper authentication responses
1_11. Terminate a user session after a defined condition
023. Terminate inactive user sessions
1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
338. Implement perfect forward secrecy
1_16. Authorize wireless access prior to allowing such connections
206. Configure communication protocols
253. Restrict network access
1_17. Protect wireless access using authentication and encryption
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
1_18. Control connection of mobile devices
155. Application free of malicious code
205. Configure PIN
206. Configure communication protocols
210. Delete information from mobile devices
213. Allow geographic location
273. Define a fixed security suite
353. Schedule firmware updates
354. Prevent firmware downgrades
1_19. Encrypt CUI on mobile devices and mobile computing platforms
026. Encrypt client-side session information
1_20. Verify and control/limit connections to and use of external systems
284. Define maximum number of connections
3_6. Provide audit record reduction
075. Record exceptional events in logs
322. Avoid excessive logging
3_7. Synchronizes internal system clocks with an authoritative source to generate time stamps for audit records
079. Record exact occurrence time of events
3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion
080. Prevent log modification
378. Use of log management system
3_9. Limit management of audit logging functionality to a subset of privileged users
096. Set user's required privileges
4_2. Establish and enforce security configuration settings for information technology products
062. Define standard configurations
266. Disable insecure functionalities
4_3. Track, review and log changes to organizational systems
075. Record exceptional events in logs
376. Register severity level
4_6. Employ the principle of least functionality and provide only essential capabilities
186. Use the principle of least privilege
4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services
255. Allow access only to the necessary ports
5_1. Identify system users, processes acting on behalf of users, and devices
143. Unique access credentials
351. Assign unique keys to each device
5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
096. Set user's required privileges
133. Passwords with at least 20 characters
138. Define lifespan for temporary passwords
140. Define OTP lifespan
229. Request access credentials
231. Implement a biometric verification component
5_3. Use multifactor authentication for local and network access to privileged accounts
362. Assign MFA mechanisms to a single account
5_4. Employ replay-resistant authentication mechanisms
368. Use of indistinguishable response time
5_5. Prevent reuse of identifiers for a defined period
030. Avoid object reutilization
5_6. Disable identifiers after a defined period of inactivity
023. Terminate inactive user sessions
031. Discard user session data
114. Deny access with inactive credentials
5_7. Enforce a minimum password complexity and change of characters when new passwords are created
130. Limit password lifespan
133. Passwords with at least 20 characters
5_9. Allow temporary password use for system logons with an immediate change to a permanent password
136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
5_10. Store and transmit only cryptographically-protected passwords
134. Store passwords with salt
135. Passwords with random salt
5_11. Obscure feedback of authentication information
225. Proper authentication responses
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on