The Ultimate Beginner’s Guide to NIST SP 800-171 Compliance

Access Control

The Access Control family of controls includes measures to ensure that only authorized personnel can access sensitive information. This includes measures such as user identification and authentication, access controls for privileged users, and access controls for network devices.

There are 22 requirements in the Access Control family, including:

• • Limiting system access to authorized users, processes, or devices only
  • Using unique user identifiers and authenticators to verify user identities
  • Enforcing password complexity and length requirements
  • Implementing session lock and termination procedures
  • Limiting unsuccessful login attempts
  • Implementing access control for network devices

The Access Control family is important because it ensures that only authorized individuals can access sensitive information and systems, which helps prevent unauthorized access and data breaches.

Awareness and Training

The Awareness and Training family of controls includes measures to ensure that all personnel are aware of their roles and responsibilities regarding cybersecurity. This includes regular cybersecurity training for all personnel, as well as security awareness campaigns to educate personnel about cybersecurity threats and best practices.

There are 4 requirements in the Awareness and Training family, including:

• Providing initial and annual cybersecurity awareness training to all personnel
• Incorporating cybersecurity awareness into existing training programs
• Regularly reminding personnel of their cybersecurity responsibilities
• Ensuring that personnel acknowledge receipt and understanding of cybersecurity policies

The Awareness and Training family is important because it helps ensure that all individuals who have access to sensitive information and systems are aware of security best practices and procedures. This reduces the risk of human error and helps prevent security incidents.

Audit and Accountability

The Audit and Accountability family of controls includes measures to ensure that all access to sensitive information is logged and auditable. This includes requirements for audit logs, audit trails, and the ability to trace actions to individual users.

There are 13 requirements in the Audit and Accountability family, including:

• Creating and maintaining audit logs for all system and network activity
• Protecting audit logs from unauthorized access or modification
• Creating audit trails that will be traced to individual users
• Reviewing and analyzing audit logs regularly
• Reporting any suspicious activity to appropriate personnel

The Audit and Accountability family is important because it ensures that all system activity is monitored and audited, which helps detect and respond to security incidents in a timely manner.

Configuration Management

The Configuration Management family of controls includes measures to ensure that all hardware and software configurations are managed and tracked to prevent unauthorized changes. This includes requirements for hardware and software inventory, configuration baselines, and change management processes.

There are 9 requirements in the Configuration Management family, including:

• Developing and maintaining an inventory of all hardware and software assets
• Implementing a formal configuration management process
• Tracking and controlling changes to hardware and software
• Using secure baseline configurations for hardware and software
• Testing and validating changes before implementation

The Configuration Management family is important because it ensures that all system configurations are properly documented, managed, and controlled, which helps prevent unauthorized changes and ensures system stability.

Identification and Authentication

The Identification and Authentication family of controls includes measures to ensure that users are properly identified and authenticated before they can access sensitive information. This includes requirements for multi-factor authentication, password complexity, and password storage and protection.

There are 11 requirements in the Identification and Authentication family, including:

• Verifying the identity of all users before allowing access to systems or information
• Using multi-factor authentication for network access and other high-risk activities
• Protecting authentication credentials from unauthorized disclosure or modification
• Enforcing password complexity and length requirements
• Changing default passwords before deployment

The Identification and Authentication family is important because it ensures that individuals who access sensitive information and systems are properly identified and authenticated, which helps prevent unauthorized access and data breaches.

Incident Response

The Incident Response family of controls includes measures to ensure that organizations are prepared to respond to cybersecurity incidents. This includes requirements for incident response planning, incident detection and analysis, and incident containment and eradication.

There are 7 requirements in the Incident Response family, including:

• Developing and maintaining an incident response plan
• Establishing procedures for detecting and reporting incidents
• Establishing procedures for containing and eradicating incidents
• Establishing procedures for conducting forensic analysis
• Testing the incident response plan regularly

The Incident Response family is important because it ensures that there are plans and procedures in place to detect, respond to, and recover from security incidents. This helps minimize the impact of security incidents and helps ensure the continuity of operations.

Maintenance

The Maintenance family of controls includes measures to ensure that all hardware and software is maintained in a secure and up-to-date manner. This includes requirements for patch management, vulnerability scanning, and system and component inventory.

There are 9 requirements in the Maintenance family, including:

• Developing and maintaining an inventory of all hardware and software assets
• Installing security-relevant software updates and patches in a timely manner
• Scanning for and remediating vulnerabilities in a timely manner
• Using only supported software and hardware
• Disabling or removing unnecessary hardware and software

The Maintenance family is important because it ensures that all systems and equipment are properly maintained and updated, which helps prevent vulnerabilities and ensures system reliability.

Media Protection

The Media Protection family of controls includes measures to ensure that all sensitive information stored on physical media is protected from unauthorized access. This includes requirements for media sanitization, media storage, and media transport.

There are 8 requirements in the Media Protection family, including:

• Implement procedures for sanitizing or destroying media before disposal or reuse
• Protect media during transport
• Store media in secure locations with limited access
• Ensure that all media is labeled and tracked
• Verify the authenticity and integrity of all media received from external sources

The Media Protection family is important because it ensures that all media containing sensitive information is properly controlled and protected, which helps prevent unauthorized access and data breaches.

Personnel Security

The Personnel Security family of controls includes measures to ensure that all personnel with access to sensitive information are properly vetted and trained. This includes requirements for background checks, security clearances, and termination procedures.

There are 7 requirements in the Personnel Security family, including:

• Screen all personnel before granting access to systems or information
• Provide security awareness training to all personnel
• Ensure that personnel with access to sensitive information have the appropriate security clearances
• Ensure that personnel are aware of their security responsibilities
• Establish procedures for terminating access when personnel leave the organization

The Personnel Security family is important because it ensures that individuals who have access to sensitive information and systems are properly vetted and screened, which helps prevent insider threats and unauthorized access.

Physical Protection

The Physical Protection family of controls includes measures to ensure that all physical access to sensitive information is protected from unauthorized access. This includes requirements for physical access controls, visitor controls, and security monitoring.

There are 12 requirements in the Physical Protection family, including:

• Implementing access controls for physical facilities
• Using surveillance cameras and alarms to detect unauthorized access
• Screening all visitors before granting access to physical facilities
• Maintaining an accurate visitor log
• Escorting visitors when necessary

The Physical Protection family is important because it ensures that all physical access to sensitive information and systems is properly controlled and monitored, which helps prevent unauthorized access and theft.

Risk Assessment 

The Risk Assessment family of controls includes measures to ensure that organizations have identified and assessed all potential cybersecurity risks. This includes requirements for risk assessments, risk management plans, and risk mitigation strategies.

There are 3 requirements in the Risk Assessment family, including:

• Conducting periodic risk assessments to identify and manage risks to systems and data
• Documenting risk assessment results and using them to inform security planning
• Incorporating risk assessments into the overall security program

The Risk Assessment family is important because it ensures that all risks to systems and data are properly identified and managed, which helps prevent security incidents and ensures the continuity of operations.

Security Assessment

The Security Assessment family of controls includes measures to ensure that all security controls are tested and evaluated on a regular basis. This includes requirements for vulnerability scanning, penetration testing, and security control assessments.

There are 3 requirements in the Security Assessment family, including:

• Conducting periodic assessments of security controls to determine their effectiveness
• Documenting assessment results and using them to inform security planning
• Incorporating security assessments into the overall security program

The Security Assessment family is important because it ensures that all security controls are periodically assessed for effectiveness, which helps identify vulnerabilities and ensures the continuous improvement of the security program.

System and Communications Protection

The System and Communications Protection family of controls includes measures to ensure that all communication and system access is protected from unauthorized access. This includes requirements for network segmentation, encryption, and boundary protections.

There are 16 requirements in the System and Communications Protection family, including:

• Implementing boundary protection for networks and systems
• Enforcing strict control over network ports, protocols, and services
• Implementing cryptographic protections for data at rest and in transit
• Using secure configurations for network devices and systems
• Implementing strict control over remote access to systems

The System and Communications Protection family is important because it ensures that all systems and communications are properly protected and secured, which helps prevent unauthorized access and data breaches.

System and Information Integrity

The System and Communications Protection family of controls requires measures that protect all communication and system access from unauthorized access. This involves network segmentation, encryption, and boundary protections implementation.

There are 7 requirements in the System and Information Integrity family, including:

• Implementing malware protections for all systems
• Monitoring systems for unauthorized changes
• Protecting system integrity by using approved software only
• Implementing procedures for detecting and reporting suspected security incidents
• Conducting periodic vulnerability scans and remediation.

The System and Information Integrity family is important because it ensures that all systems and information are properly protected from malware and unauthorized changes, which helps prevent security incidents and ensures system integrity.

NIST SP 800-171 has undergone several revisions since its initial release in 2015. The most recent update was released in December 2020, which is Revision 2. Some of the notable revisions made to NIST SP 800-171 include:

1. Introduction of new controls: NIST SP 800-171 Revision 2 added four new controls to address supply chain security, including requirements for limiting communications with foreign-owned or operated entities and verifying the integrity of software and firmware.
2. Clarification of existing controls: Some controls were clarified and updated to provide more detailed guidance and examples. For example, the requirement for “least privilege” access was clarified to provide more information on how to implement this control.
3. Removal of outdated controls: NIST SP 800-171 Revision 2 removed some outdated controls that were no longer considered effective or necessary.
4. Integration with other cybersecurity standards: NIST SP 800-171 Revision 2 includes references to other cybersecurity standards, such as NIST SP 800-53, to provide more comprehensive guidance on implementing effective cybersecurity practices.
5. Emphasis on compliance and enforcement: NIST SP 800-171 Revision 2 places more emphasis on compliance and enforcement, including requirements for reporting security incidents and conducting security assessments.