Skip to main content

NIST 800-171



NIST Special Publication 800-171 named Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides agencies with recommended security requirements for protecting the confidentiality of controlled unclassifield information (CUI) when the information is resident in nonfederal systems and organizations. The version used in this section is SP 800-171 revision 2, January 2021.


1_1. Limit system access to authorized users, processes acting on behalf of authorized users and devices096. Set user's required privileges
1_4. Separate the duties of individuals095. Define users with privileges
1_5. Employ the principle of least privilege, including for specific security functions and privileged accounts186. Use the principle of least privilege
1_7. Prevent non-privileged users from executing privileged functions095. Define users with privileges
096. Set user's required privileges
155. Application free of malicious code
1_9. Provide privacy and security notices225. Proper authentication responses
1_11. Terminate a user session after a defined condition023. Terminate inactive user sessions
1_13. Employ cryptographic mechanisms to protect the confidentiality of remote access sessions147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
338. Implement perfect forward secrecy
1_16. Authorize wireless access prior to allowing such connections206. Configure communication protocols
253. Restrict network access
1_17. Protect wireless access using authentication and encryption228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
1_18. Control connection of mobile devices155. Application free of malicious code
205. Configure PIN
206. Configure communication protocols
210. Delete information from mobile devices
213. Allow geographic location
273. Define a fixed security suite
353. Schedule firmware updates
354. Prevent firmware downgrades
1_19. Encrypt CUI on mobile devices and mobile computing platforms026. Encrypt client-side session information
1_20. Verify and control/limit connections to and use of external systems284. Define maximum number of connections
3_6. Provide audit record reduction075. Record exceptional events in logs
322. Avoid excessive logging
3_7. Synchronizes internal system clocks with an authoritative source to generate time stamps for audit records079. Record exact occurrence time of events
3_8. Protect audit information and audit logging tools from unauthorized access, modification, and deletion080. Prevent log modification
378. Use of log management system
3_9. Limit management of audit logging functionality to a subset of privileged users096. Set user's required privileges
4_2. Establish and enforce security configuration settings for information technology products062. Define standard configurations
266. Disable insecure functionalities
4_3. Track, review and log changes to organizational systems075. Record exceptional events in logs
376. Register severity level
4_6. Employ the principle of least functionality and provide only essential capabilities186. Use the principle of least privilege
4_7. Restrict, disable, or prevent the use of nonessential functions, ports, protocols, and services255. Allow access only to the necessary ports
5_1. Identify system users, processes acting on behalf of users, and devices143. Unique access credentials
351. Assign unique keys to each device
5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems096. Set user's required privileges
133. Passwords with at least 20 characters
138. Define lifespan for temporary passwords
140. Define OTP lifespan
229. Request access credentials
231. Implement a biometric verification component
5_3. Use multifactor authentication for local and network access to privileged accounts362. Assign MFA mechanisms to a single account
5_4. Employ replay-resistant authentication mechanisms368. Use of indistinguishable response time
5_5. Prevent reuse of identifiers for a defined period030. Avoid object reutilization
5_6. Disable identifiers after a defined period of inactivity023. Terminate inactive user sessions
031. Discard user session data
114. Deny access with inactive credentials
5_7. Enforce a minimum password complexity and change of characters when new passwords are created130. Limit password lifespan
133. Passwords with at least 20 characters
5_9. Allow temporary password use for system logons with an immediate change to a permanent password136. Force temporary password change
137. Change temporary passwords of third parties
138. Define lifespan for temporary passwords
5_10. Store and transmit only cryptographically-protected passwords134. Store passwords with salt
135. Passwords with random salt
5_11. Obscure feedback of authentication information225. Proper authentication responses