NIST 800-171 Compliance Guideline - University Of Cincinnati
NIST 800-171 Compliance GuidelineBackgroundThe National Institute of Standards and Technology (NIST) published the 800-171 securityrequirements, Protecting Controlled Unclassified Information in Nonfederal Information Systems andOrganizations, in June 2015. The purpose of that publication is to provide guidance for governmentcontractors to protect certain types of federal information.NIST 800-171 is a subset of security controls derived from the NIST 800-53 publication. This subsetof security controls is required when a non-federal entity is sharing, collecting, processing, storingor transmitting “Controlled Unclassified Information (CUI)” on behalf of a federal governmentagency. The university most often encounters CUI when conducting research with data owned bya federal agency. For example, all research projects governed by a Department of Defense (DoD)contract must be NIST 800-171 compliant as of December 2017.How to Use This DocumentThis document was created as a best effort to assist members of the university community whomust comply with NIST 800-171. The 110 NIST 800-171 security controls are divided into 14 controlfamilies. Controls are mapped to appropriate university policies, standards or other documentswhere possible. Additional information related to controls can be found in NIST 800-53.It is important to note; university policies were developed independent of NIST 800-171 and maynot meet NIST requirements. Conformity with the university policies mapped in this documentdoes not infer NIST compliance. Gaps may exist between university policy and NIST 800-171controls. In an effort to mitigate those gaps and achieve compliance, the Primary Investigator (PI)must follow all NIST control requirements. Compliance with NIST 800-171 cannot be achieved byfollowing university policy exclusively.The PI should work closely with local and central IT. Local and central IT may implement technicalcontrols related to NIST but ultimately it is the responsibility of the PI to ensure NIST compliancefor their data and research equipment.NIST 800-171 Compliance Guideline v1.1Page 1 of 16
6 Steps to NIST 800-171 ComplianceBelow are 6 general steps to NIST 800-171 compliance. By following these 6 steps and the 110NIST 800-171 controls, the PI and the university are well on their way to demonstrating NISTcompliance.1. Locate and Identify: Identify the systems on your network that hold or might hold CUI.These storage locations could include local storage, Network Attached Storage devices,cloud storage, portable hard drives, flash drives. Remove CUI from locations that are notpermitted to hold CUI.2. Categorize: Categorize your data and separate CUI files from non-CUI files. Use this step toreduce unnecessary duplication of data. Steps 1 and 2 are completed by the PI and formthe foundation that allows for the effective implementation of additional security controls.3. Implement Required Controls: Implement the 110 NIST 800-171 controls. Local IT may beable to assist the PI with some of the controls during this stage, but the PI is responsible forNIST compliance.4. Training: The PI must ensure anyone who has access to their CUI receives training on thefundamentals of information security on a regular basis. In addition, the PI must trainindividuals on their specific processes and procedures for handling CUI.5. Monitor: The PI is responsible for providing access and monitoring those who access CUI.6. Assessment: Conduct security assessments by examining all systems that may contain CUI.Security assessments must be completed on a regular basis.Protecting confidential information is not only a legal requirement but is the university’s ethicalobligation.NIST 800-171 Compliance Guideline v1.1Page 2 of 16
NIST800-171ControlNumber3.13.1.13.1.23.1.3NIST 80053NIST RequirementControlNumberACCESS CONTROLAC-2, AC-3Limit information system access toauthorized users, processes actingon behalf of authorized users, ordevices (including otherinformation systems).AC-17Limit information system access tothe types of transactions andfunctions that authorized usersare permitted to execute.AC-4Control the flow of sensitive datain accordance with approvedauthorizations.3.1.4AC-5Separate the duties of individualsto reduce the risk of malevolentactivity without collusion.3.1.5AC-6(1&5)3.1.6AC-6(2)Employ the principle of leastprivilege, including for specificsecurity functions and privilegedaccounts.Use non-privileged accounts orroles when accessing r and control remoteaccess sessions.3.1.13AC-17(2)3.1.14AC-17(3)Employ cryptographicmechanisms to protect theconfidentiality of remote accesssessions.Route remote access via managedaccess control points.3.1.15AC-17(4)Prevent non-privileged users fromexecuting privileged functions andaudit the execution of suchfunctions.Limit unsuccessful logon attempts.Provide privacy and securitynotices consistent with applicablesensitive data rules.Use session lock with patternhiding displays to preventaccess/viewing of data afterperiod of inactivity.Terminate (automatically) a usersession after a defined condition.Authorize remote execution ofprivileged commands and remoteaccess to security-relevantinformation.NIST 800-171 Compliance Guideline v1.1ResponsiblePartyUniversity PolicyMaintain list of authorized users definingtheir identity and associated role and syncwith system, application and data layers.Account requests must be authorizedbefore access is granted.Utilize access control (derived from 3.1.1)to limit access to applications and databased on role and/or identity. Log accessas appropriate.Provide architectural solutions to controlthe flow of system data. The solutionsmay include firewalls, proxies, encryption,and other security technologies.If a system user accesses data as well asmaintains the system in some way, createseparate accounts with appropriateaccess levels to separate functions.Only grant enough privileges to a systemuser to allow them to sufficiently fulfilltheir job duties. 3.1.4 references accountseparation.Users with multiple accounts (as definedin 3.1.4 and 3.1.5) must logon with theleast privileged account. Most likely, thiswill be enforced as a policy.Enable auditing of all privileged functions,and control access using access controllists based on identity or role.Central IT &Local ITData Governance andClassification PolicyCentral IT &Local ITData Governance andClassification PolicyCentral IT &Local ITInformation SecurityReview PolicyLocal IT & PIPrivileged Access PolicyData Governance andClassification PolicyLocal IT & PIPrivileged Access PolicyData Governance andClassification PolicyLocal IT & PIPrivileged Access PolicyAcceptable Use ofInformation TechnologyPolicyPrivileged Access PolicyConfigure system to lock logonmechanism for a predetermined time andlock user account out of system after apredetermined number of invalid logonattempts.Logon screen should display appropriatenotices.Central IT &Local ITPassword PolicyCentral IT &Local ITData Governance andClassification PolicyConfigure system to lock session after apredetermined time of inactivity. Allowuser to lock session for temporaryabsence.Configure system to end a user sessionafter a predetermined time based onduration and/or inactivity of session.Run network and system monitoringapplications to monitor remote systemaccess and log accordingly. Controlremote access by running only necessaryapplications, firewalling appropriately,and utilize end to end encryption withappropriate access (re 3.1.1)Any application used to remotely accessthe system must use approved encryptionmethods.Local ITData Governance andClassification PolicyClean Desk PolicyCentral IT &Local ITData Governance andClassification PolicyClean Desk PolicyRemote access is used by authorizedmethods only and is maintained by ITOperations.Remote access for privileged actions isonly permitted for necessary operationalfunctions.Central ITAdditional DetailsCentral IT &Local ITCentral ITCentral ITCentral ITPage 3 of 16
NIST800-171ControlNumber3.1.16NIST 80053ControlNumberAC-18NIST RequirementAdditional DetailsResponsiblePartyAuthorize wireless access prior toallowing such connections.Organization officials will authorize theuse of wireless technologies and provideguidance on their use. Wireless networkaccess will be restricted to the establishedguidelines, monitored, and controlled.Central ITUniversity PolicyPassword PolicyAcceptable Use ofInformation TechnologyPolicyData Governance andClassification PolicyPassword PolicyAcceptable Use ofInformation TechnologyPolicyData Governance andClassification PolicyPassword PolicyAcceptable Use ofInformation TechnologyPolicyData Governance andClassification PolicyData Governance andClassification PolicyData Governance andClassification PolicyRemote Access Standard3.1.17AC-18(1)Protect wireless access usingauthentication and encryption.Wireless access will be restricted toauthorized users only and encryptedaccording to industry best practices.Central IT3.1.18AC-19Control connection of mobiledevices.Organization officials will establishguidelines for the use of mobile devicesand restrict the operation of thosedevices to the guidelines. Usage will bemonitored and controlled.Central IT3.1.19AC-19(5)Mobile devices will be encrypted.Local IT & PI3.1.20AC-20, AC20(1)Encrypt CUI on Mobile devices andmobile computing platforms.Verify and control/limitconnections to and use of externalinformation systems.Local IT & PI3.1.21AC-20(2)Guidelines and restrictions will be placedon the use of personally owned orexternal system access. Only authorizedindividuals will be permitted externalaccess and those systems must meet thesecurity standards set out by theorganization.Guidelines and restrictions will be placedon the use of portable storage devices.Local IT & PIData Governance andClassification Policy3.1.22AC-22Only authorized individuals will postinformation on publicly accessibleinformation systems. Authorizedindividuals will be trained to ensure thatnon-public information is not posted.Public information will be reviewedannually to ensure that non-publicinformation is not posted.Local IT & PIData Governance andClassification PolicyAcceptable Use ofInformation TechnologyPolicy3.23.2.1AWARENESS AND TRAININGAT-2, AT-3Ensure that managers, systemsadministrators and users oforganizational informationsystems are made aware of thesecurity risks associated with theiractivities and of the applicablepolicies, standards andprocedures related to the securityof organizational informationsystems.Users, managers, and systemadministrators of the information systemwill receive initial and annual trainingcommensurate with their role andresponsibilities. The training will providea basic understanding of the need forinformation security, applicable policies,standards, and procedures related to thesecurity of the information system, as wellas user actions to maintain security andrespond to suspected security incidents.The content will also address awarenessof the need for operations security.Central IT &Local ITPrivileged Access PolicyAcceptable Use ofInformation TechnologyPolicyOther ApplicableUniversity PoliciesLimit use of organizationalportable storage devices onexternal information systems.Control information posted orprocessed on publicly accessibleinformation systems.NIST 800-171 Compliance Guideline v1.1Page 4 of 16
NIST800-171ControlNumber3.2.2NIST 80053ControlNumberAT-2, AT-3NIST RequirementEnsure that organizationalpersonnel are adequately trainedto carry out their assignedinformation security-relatedduties and responsibilities.3.2.3AT-2(2)Provide security awarenesstraining on recognizing andreporting potential indicators ofinsider threat.3.33.3.1AUDIT AND ACCOUNTABILITYAU-2, AUCreate, protect and retain3, AU-3(1),information system audit recordsAU-6, AUto the extent needed to enable the12monitoring, analysis, investigationand reporting of unlawful,unauthorized, or inappropriateinformation system activity.3.3.2AU-2, AU3, AU-3(1),AU-6, AU123.3.3AU-2(3)3.3.4AU-5Ensure that the actions ofindividual information systemusers can be uniquely traced tothose users so they can be heldaccountable for their actions.Review and update auditedevents.Alert in the event of an auditprocess failure.NIST 800-171 Compliance Guideline v1.1Additional DetailsResponsiblePartyUniversity PolicyPersonnel with security-related duties andresponsibilities will receive initial andannual training on their specificoperational, managerial, and technicalroles and responsibilities coveringphysical, personnel, and technicalsafeguards and countermeasures.Training will address required securitycontrols related to environmental andphysical security risks, as well as trainingon indications of potentially suspiciousemail or web communications, to includesuspicious communications and otheranomalous system behavior.Users, managers, and administrators ofthe information system will receiveannual training on potential indicatorsand possible precursors of insider threat,to include long-term job dissatisfaction,attempts to gain unauthorized access toinformation, unexplained access tofinancial resources, bullying or sexualharassment of fellow employees,workplace violence, and other seriousviolations of organizational policies,procedures, directives, rules, or practices.Security training will include how tocommunicate employee andmanagement concerns regardingpotential indicators of insider threat inaccordance with establishedorganizational policies and procedures.Central IT &Local ITPrivileged Access PolicyAcceptable Use ofInformation TechnologyPolicyOther ApplicableUniversity PoliciesCentral IT &Local ITPrivileged Access PolicyAcceptable Use ofInformation TechnologyPolicyInformation SecurityIncident Management &Response PolicyOther ApplicableUniversity PoliciesThe organization creates, protects, retainsinformation system audit records (followappropriate retention schedule based ondata source and applicable regulations) inorder to enable the monitoring, analysis,investigation, and reporting of unlawful,unauthorized, or inappropriateinformation system activity.The organization correlates networkactivity to individual user informationorder to uniquely trace and holdaccountable users responsible forunauthorized actions.The organization reviews and updatesaudited events annually or in the event ofsubstantial system changes or as needed,to ensure that the information system iscapable of auditing events, to ensurecoordination with other organizationalentities requiring audit-relatedinformation, and provide a rational forwhy auditable events are deemedadequate to support securityinvestigations.The information system alerts personnelwith security responsibilities in the eventof an audit processing failure, andmaintains audit records on host serversuntil log delivery to central repositoriescan be re-established.Local ITInformation SecurityIncident Management &Response PolicyData Governance andClassification PolicyCentral IT &Local ITPassword PolicyPrivileged Access PolicyAcceptable Use ofInformation TechnologyPolicyChange ManagementProcess DocumentInformation SecurityReviewInformation SecurityIncident Management &Response PolicyLocal ITCentral IT &Local ITInformation SecurityIncident Management &Response PolicyAcceptable Use ofInformation TechnologyPolicyPage 5 of 16
NIST800-171ControlNumber3.3.5NIST 80053ControlNumberAU-6(3)NIST RequirementAdditional DetailsResponsiblePartyUniversity PolicyCorrelate audit review, analysis,and reporting processes forinvestigation and response toindications of inappropriate,suspicious, or unusual activity.The organization employs automatedmechanisms across different repositoriesto integrate audit review, analysis,correlation, and reporting processes inorder to support organizational processesfor investigation and response tosuspicious activities, as well as gainorganization-wide situational awareness.Central ITInformation SecurityIncident Management &Response PolicyAcceptable Use ofInformation TechnologyPolicyOther ApplicableUniversity PoliciesThe information system's audit capabilitysupports an audit reduction and reportgeneration capability that supports ondemand audit review, analysis, andreporting requirements and after-the-factsecurity investigations; and does not alterthe original content or time ordering ofaudit records. The system provides thecapability to process audit records forevents based on a variety of unique fields,to include user identity, event type,location, times, dates, system resources,IP, or information object accessed.The information system uses internalsystem clocks to generate time stamps foraudit records, and records time stampsthat can be mapped to UTC; comparessystem clocks with authoritative NTPservers, and synchronizes system clockswhen the time difference is greater than 1second.The information system protects auditinformation and audit tools fromunauthorized access, modification, anddeletion.Central ITInformation SecurityIncident Managementand Response PolicyVulnerable ElectronicSystems PolicyPrivileged Access PolicyCentral ITServer Security BaselineStandardCentral ITThe organization authorizes access tomanagement of audit functionality to onlyauthorized individuals with a designatedaudit responsibilityCentral ITData Governance andClassification PolicyAcceptable Use ofInformation TechnologyPolicyPrivileged Access PolicyData Governance andClassification PolicyAcceptable Use ofInformation TechnologyPolicyPrivileged Access PolicyBaseline configurations will be developed,documented, and maintained for eachinformation system type. Baselineconfigurations will include softwareversions and patch level, configurationparameters, network informationincluding topologies, andcommunications with connected systems.Baseline configurations will be updated asneeded to accommodate security risks orsoftware changes. Deviations frombaseline configurations will bedocumented.Security settings will be included as partof baseline configurations. Securitysettings will reflect the most restrictiveappropriate for compliance requirements.Changes or deviations to security settingswill be documented.Local ITClient ComputingSecurity StandardServer Security BaselineStandardData Governance andClassification PolicyLocal ITPrivileged Access PolicyClient ComputingSecurity StandardServer Security BaselineStandardRisk Acceptance PolicyInformation SecurityReview Policy3.3.6AU-7Provide audit reduction andreport generation to support ondemand analysis and reporting.3.3.7AU-8, AU8(1)Provide an information systemcapability that compares andsynchronizes internal systemclocks with an authoritative sourceto generate time stamps for auditrecords.3.3.8AU-9Protect audit information andaudit tools from unauthorizedaccess, modification, and deletion.3.3.9AU-9(4)Limit management of auditfunctionality to a subset ofprivileged users.3.43.4.1CONFIGURATION MANAGEMENTCM-2, CMEstablish and maintain baseline6, CM-8,configurations and inventories ofCM-8(1)organizational informationsystems (including hardware,software, firmware anddocumentation) throughout therespective system developmentlife cycles.3.4.2CM-2, CM6, CM-8,CM-8(1)Establish and enforce securityconfiguration settings forinformation technology productsemployed in organizationalinformation systems.NIST 800-171 Compliance Guideline v1.1Page 6 of 16
NIST800-171ControlNumber3.4.3NIST 80053ControlNumberCM-3NIST RequirementAdditional DetailsResponsiblePartyTrack, review, approve/disapproveand audit changes to informationsystems.Changes or deviations to informationsystem security control configurationsthat affect compliance requirements willbe reviewed and approved. The changeswill also be tracked and documented.Change control tracking will be auditedannually.Local IT3.4.4CM-4Analyze the security impact ofchanges prior to implementationChanges or deviations that affectinformation system security controlspertaining to compliance requirementswill be tested prior to implementation totest their effectiveness. Only thosechanges or deviations that continue tomeet compliance requirements will beapproved and implemented.Central IT &Local IT3.4.5CM-5Define, document, approve, andenforce physical and logical accessrestrictions associated withchanges to the informationsystem.Only those individuals approved to makephysical or logical changes on informationsystems will be allowed to do so.Authorized personnel will be approvedand documented. All changedocumentation will include theauthorized personnel making the change.Central IT &Local IT3.4.6CM-7Employ the principle of leastfunctionality by configuring theinformation system to provideonly essential capabilities.Information systems will be configured todeliver one function per system wherepractical.Local IT & PI3.4.7CM-7(1-2)Restrict, disable and prevent theuse of nonessential programs,functions, ports, protocols andservices.Local IT3.4.8CM-7(4-5)Apply deny-by-exception (blacklist)policy to prevent the use ofunauthorized software or deny-all,permit-by-exception (whitelisting)policy to allow the execution ofauthorized software.3.4.9CM-11Control and monitor user-installedsoftwareOnly those ports and protocols necessaryto provide the service of the informationsystem will be configured for that system.Applications and services not necessary toprovide the service of the informationsystem will not be configured or enabled.Systems services will be reviewed todetermine what is essential for thefunction of that system.The information system will be configuredto only allow authorized software to run.The system will be configured to disallowrunning unauthorized software. Thecontrols for allowing or disallowing therunning of software may include but isnot limited to the use of firewalls torestrict port access and user operationalcontrols.User controls will be in place to prohibitthe installation of unauthorized software.All software for information systems mustbe approved.3.5Local ITUniversity PolicyInformation SecurityReview PolicyRisk Acceptance PolicyChange ManagementProcess DocumentPrivileged Access PolicyClient ComputingSecurity StandardServer Security BaselineStandardInformation SecurityReview PolicyChange ManagementProcess DocumentVulnerable ElectronicSystems PolicyPrivileged Access PolicyClient ComputingSecurity StandardServer Security BaselineStandardPrivileged Access PolicyInformation SecurityReview PolicyChange ManagementProcess DocumentClient ComputingSecurity StandardServer Security BaselineRisk Acceptance PolicyClient ComputingSecurity StandardServer Security BaselineStandardInformation SecurityReview PolicyRisk Acceptance PolicyServer Security BaselineStandardServer Security BaselineStandardLocal ITIDENTIFICATION AND AUTHENTICATIONNIST 800-171 Compliance Guideline v1.1Page 7 of 16
NIST800-171ControlNumber3.5.1NIST 80053ControlNumberIA-2, IA-53.5.2IA-2, IA-5Authenticate (or verify) theidentities of those users,processes, or devices, as aprerequisite to allowing access toorganizational informationsystems.3.5.3IA-2(1-3)3.5.4IA-2(8-9)Use multifactor authentication forlocal and network access toprivileged accounts and fornetwork access to non-privilegedaccounts.Employ replay-resistantauthentication mechanisms fornetwork access to privileged andnon-privileged accounts.3.5.5IA-4Prevent reuse of identifiers for adefined period.3.5.6IA-4Disable identifiers after a definedperiod of inactivity3.5.7IA-5(1)3.5.8IA-5(1)Enforce a minimum passwordcomplexity and change ofcharacters when new passwordsare created.Prohibit password reuse for aspecified number of generationsNIST RequirementAdditional DetailsIdentify information system users,processes acting on behalf ofusers, or devices.Systems will make use of institutionallyassigned accounts for unique access byindividual. Should service accounts benecessary for device or processauthentication, the accounts will becreated by the central identitymanagement team. Institutional andservice accounts are managed centrallyand deprovisioned automatically when anindividual leaves.Per control 3.5.1, the accounts in use willbe assigned and managed by theuniversity's central identity managementsystem. Accounts are provisioned as partof the established account creationprocess. Accounts are uniquely assignedto faculty, staff upon hire; students uponmatriculation; or affiliates whensponsored by an authorized faculty orstaff member. Access to data associatedwith the project is controlled throughrole-based authorization by the project'sPI. Initial passwords are randomlygenerated strings provided via apassword reset mechanism to eachfaculty, staff, student or affiliate. Thepassword must be reset upon first use.Passwords must comply with theuniversity's Password Policy.Any network access to servers and virtualmachines hosting the project datarequires multifactor authenticationprovided by university regardless if theaccount is privileged or unprivileged.Only anti-replay authenticationmechanisms will be used. Theauthentication front-end technologiesinclude shibboleth, SSH, Microsoft remotedesktop protocol. Backend authenticationmechanisms in use include Kerberos andActive Directory.Per control 3.5.1, the accounts in use willbe assigned and managed by theuniversity's central identity managementsystem. Accounts are provisioned as partof the established account creationprocess. Accounts are uniquely assignedto faculty, staff, students and affiliates(guests). Account identifiers are notreused.User accounts or identifiers associatedwith a project or contract covered by NIST800-171 are monitored for inactivity.Disable account access to the in-scopesystems after 180 days of inactivity.Account passwords must be a minimumof 8 characters and a mix of upper/lowercase, numbers and symbols.NIST 800-171 Compliance Guideline v1.1Users may not re-use the same passwordwhen changing their password for at least6 changes.ResponsiblePartyUniversity PolicyCentral IT &Local ITPassword PolicyAcceptable Use ofInformation TechnologyPolicyData Governance andClassification PolicyLocal IT & PIPassword PolicyAcceptable Use ofInformation TechnologyPolicyData Governance andClassification PolicyPrivileged Access PolicyLocal ITPassword PolicyPrivileged Access PolicyCentral IT &Local ITCentral ITPassword PolicyPrivileged Access PolicyCentral IT &Local ITData Governance andClassification PolicyPassword PolicyCentral ITPassword PolicyCentral ITPassword PolicyPage 8 of 16
NIST800-171ControlNumber3.5.9NIST 80053ControlNumberIA-5(1)Additional DetailsAllow temporary password use forsystem logons with an immediatechange to a permanent password.New employees will receive an accountand instructions for creating a passwordduring the hiring process. New studentsreceive notification of their account andwill need to set their initial password.Temporary passwords are only good toallow for a password reset.Passwords are not stored in reversibleencryption form in any of our systems.Instead, they are stored as one-wayhashes constructed from passwordsusing AES256 or stronger encryption.The most basic feedback control is neverinforming the user in an error messagewhat part of the of the authenticationtransaction failed. In the case ofshibboleth, for example, the errormessage is generic regardless of whetherthe user-id was mistyped, the passwordwas wrong, or (in the case of MFA) therewas a problem with the MFA credentialprovided — the failure simply says thatthe credentials were invalid. Likewise,unsuccessful authentications at theKerberos KDCs don’t distinguish betweenthe “principal not found” and the “invalidkey” case. LDAP-based authenticationinterfaces only return a “failure to bind”message from both the main LDAPs andthe AD.Central ITPassword PolicyCentral IT &Local ITPassword PolicyCentral IT &Local ITServer Security BaselineStandardDevelop an institutional incident responsepolicy; specifically outline requirementsfor handling of incidents involving CUI.Central ITInformation SecurityIncident Managementand Response Policy andProcedureDevelop an institutional incident responsepolicy; specifically outline requirementsfor tracking and reporting of incidentsinvolving CUI to appropriate officials.Develop an institutional incident responsepolicy; specifically outline requirementsfor regular testing andreviews/improvements to incidentresponse capabilities.Central ITInformation SecurityIncident Managementand Response Policy andProcedureInformation SecurityIncident Managementand Response Policy andProcedureAll systems, devices, supporting systemsfor organizational information systemsmust be maintained according tomanufacturer recommendations ororganizationally defined schedulesLocal IT3.5.10IA-5(1)Store and transmit only encryptedrepresentation of passwords.3.5.11IA-6Obscure feedback ofauthentication information3.63.6.1INCIDENT RESPONSEIR-2, IR-4,Establish an operational incidentIR-5, IR-6,handling capability forIR-7organizational informationsystems that includes adequatepreparation, detection, analysis,containment, recovery and userresponse activities.IR-2, IR-4,Track, document and reportIR-5, IR-6,incidents to appropriate officialsIR-7and/or authorities both internaland external to the organization.IR-3, IRTest the organizational incident3(2)response capability.3.6.23.6.33.73.7.1ResponsiblePartyNIST RequirementMAINTENANCEMA-2, MAPerform maintenance on3, MA-3(2organizational information1)systems.NIST 800-171 Compliance Guideline v1.1Central ITUniversity PolicyVulnerable ElectronicSystems PolicyCritical Server SecurityStandardServer Security BaselineStandardPage 9 of 16
NIST800-171ControlNumber3.7.2NIST 80053ControlNumberMA-2, MA3, MA-3(21)ResponsiblePartyNIST RequirementAdditional DetailsProvide effective controls on thetools, techniques, mechanismsand personnel used to conductinformation system maintenance.Organizations will put in plac
Clean Desk Policy 3.1.11 AC-12 Terminate (automatically) a user session after a defined condition. Configure system to end a user session after a predetermined time based on duration and/or inactivity of session. Central IT & Local IT Data Governance and Classificat
2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7
NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST
NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .
Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000
DIACAP (May 2009 –October 2014) RMF (Strongly based on NIST 800-37 and 800-53) (October 2014 –Present) NIST 800-171 (RMF still in place, but NIST 800-171 required NLT 31 December 2017 for DoD contractors and subcontractors**)
Apr 08, 2020 · Email sec-cert@nist.gov Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for
NIST 800-53 Compliance Controls 1 NIST 800-53 Compliance Controls The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning to the NIST 800-53 controls with McAfee
NIST MEP 800-171 Assessment Handbook Step-by-step guide to assessing NIST SP 800-171 Security Requirements Available in DRAFT format for MEP Centers to use in providing assistance to U.S. manufacturers -Includes Handbook Supplement for compliance with DFARS Cybersecurity Requirements Publication as an official NIST Handbook pending.
