NIST 800 171 Compliance Scoping Guide

for more guidance you can call
NIST 800-171 Control Number Control Type Control Family

First Team Cyber, LLC at
Limit information system access

to authorized users, processes
3.1.1 Basic Access Control acting on behalf of authorized
users, or devices (including other
information systems).
Limit information system access

to the types of transactions and
3.1.2 Derived Access Control
functions that authorized users
are permitted to execute.
Control the flow of CUI in

3.1.3 Derived Access Control accordance with approved
authorizations.
Separate the duties of individuals
3.1.4 Derived Access Control to reduce the risk of malevolent
activity without collusion.
Employ the principle of least

privilege, including for specific
security functions and privileged
accounts.
Use non-privileged accounts or

3.1.6 Derived Access Control roles when accessing nonsecurity
functions.
Prevent non-privileged users from

executing privileged functions and
audit the execution of such
functions.
Limit unsuccessful logon
attempts.
Provide privacy and security

3.1.9 Derived Access Control notices consistent with applicable
CUI rules.
Use session lock with pattern-

hiding displays to prevent
3.1.10 Basic Access Control
access/viewing of data after
period of inactivity.
Terminate (automatically) a user

session after a defined condition.
Monitor and control remote
access sessions.
Employ cryptographic
mechanisms to protect the
confidentiality of remote access
sessions.
Route remote access via managed

access control points.
Authorize remote execution of

privileged commands and remote
access to security-relevant
information.
Authorize wireless access prior to
allowing such connections.
Protect wireless access using

authentication and encryption.
Control connection of mobile

devices.
3.1.19 Derived Access Control Encrypt CUI on mobile devices.

Verify and control/limit
3.1.20 Derived Access Control connections to and use of
external information systems.
Limit use of organizational

3.1.21 Derived Access Control portable storage devices on
external information systems.
Control information posted or

3.1.22 Derived Access Control processed on publicly accessible
information systems.
Ensure that managers, systems

administrators, and users of
organizational information
systems are made aware of the
Awareness and security risks associated with their
3.2.1 Basic
Training activities and of the applicable
policies, standards, and
procedures related to the security
of organizational information
systems.
Ensure that organizational
personnel are adequately trained
Awareness and
3.2.2 Basic to carry out their assigned
Training
information security-related
duties and responsibilities.
Provide security awareness

Awareness and training on recognizing and
3.2.3 Derived
Training reporting potential indicators of
insider threat.
Create, protect, and retain

information system audit records
to the extent needed to enable
Audit and the monitoring, analysis,
3.3.1 Basic
Accountability investigation, and reporting of
unlawful, unauthorized, or
inappropriate information system
activity.
Ensure that the actions of

Audit and individual information system
3.3.2 Basic users can be uniquely traced to
Accountability
those users so they can be held
accountable for their actions.
Audit and Review and update audited
3.3.3 Derived
Accountability events.
Audit and Alert in the event of an audit

3.3.4 Derived
Accountability process failure.
Use automated mechanisms to

integrate and correlate audit
Audit and review, analysis, and reporting
3.3.5 Derived processes for investigation and
Accountability
response to indications of
inappropriate, suspicious, or
unusual activity.
Audit and Provide audit reduction and

3.3.6 Derived report generation to support on-
Accountability
demand analysis and reporting.
Provide an information system
capability that compares and
Audit and synchronizes internal system
3.3.7 Derived
Accountability clocks with an authoritative
source to generate time stamps
for audit records.
Protect audit information and

Audit and audit tools from unauthorized
3.3.8 Derived
Accountability access, modification, and
deletion.
Audit and Limit management of audit

3.3.9 Derived functionality to a subset of
Accountability
privileged users.
Establish and maintain baseline

configurations and inventories of
Configuration systems (including hardware,
3.4.1 Basic
Management software, firmware, and
documentation) throughout the
respective system development
life cycles.
Establish and enforce security
configuration settings for
Configuration
3.4.2 Basic information technology products
Management
employed in organizational
Track, review,
Configuration
3.4.3 Derived approve/disapprove, and audit
Management
changes to information systems.
Configuration Analyze the security impact of

3.4.4 Derived
Management changes prior to implementation.
Define, document, approve, and

Configuration enforce physical and logical
3.4.5 Derived access restrictions associated with
Management
changes to the information
system.
Employ the principle of least
Configuration functionality by configuring the
3.4.6 Derived
Management information system to provide
only essential capabilities.
Restrict, disable, and prevent the

Configuration use of nonessential programs,
3.4.7 Derived
Management functions, ports, protocols, and
services.
Apply deny-by-exception
(blacklist) policy to prevent the
Configuration use of unauthorized software or
3.4.8 Derived
Management deny-all, permit-by-exception
(whitelisting) policy to allow the
execution of authorized software.
Configuration Control and monitor user-

3.4.9 Derived
Management installed software.
Identify information system users,
Identification and
3.5.1 Basic processes acting on behalf of
Authentication
users, or devices.
Authenticate (or verify) the

identities of those users,
Identification and processes, or devices, as a
3.5.2 Basic
Authentication prerequisite to allowing access to
systems.
Use multifactor authentication for

Identification and local and network access to
3.5.3 Derived privileged accounts and for
Authentication
network access to non-privileged
accounts.
Employ replay-resistant
Identification and authentication mechanisms for
3.5.4 Derived
Authentication network access to privileged and
non-privileged accounts.
Identification and Prevent reuse of identifiers for a
3.5.5 Derived
Authentication defined period.
Identification and Disable identifiers after a defined

3.5.6 Derived
Authentication period of inactivity.
Enforce a minimum password

Identification and complexity and change of
3.5.7 Derived
Authentication characters when new passwords
are created.
Identification and Prohibit password reuse for a

3.5.8 Derived
Authentication specified number of generations.
Allow temporary password use
Identification and for system logons with an
3.5.9 Derived
Authentication immediate change to a
permanent password.
Identification and Store and transmit only encrypted

3.5.10 Derived
Authentication representation of passwords.
Identification and Obscure feedback of

3.5.11 Derived
Authentication authentication information.
Establish an operational incident-

handling capability for
Incident organizational information
3.6.1 Basic systems that includes adequate
Response
preparation, detection, analysis,
containment, recovery, and user
response activities.
Track, document, and report
Incident incidents to appropriate officials
3.6.2 Basic
Response and/or authorities both internal
and external to the organization.
Incident Test the organizational incident

3.6.3 Derived
Response response capability.
Perform maintenance on
3.7.1 Basic Maintenance organizational information
systems.
Provide effective controls on the

tools, techniques, mechanisms,
3.7.2 Basic Maintenance
and personnel used to conduct
information system maintenance.
Ensure equipment removed for
3.7.3 Derived Maintenance off-site maintenance is sanitized
of any CUI.
Check media containing

diagnostic and test programs for
3.7.4 Derived Maintenance malicious code before the media
are used in the information
system.
Require multifactor
authentication to establish
nonlocal maintenance sessions via
3.7.5 Derived Maintenance external network connections and
terminate such connections when
nonlocal maintenance is
complete.
Supervise the maintenance

activities of maintenance
3.7.6 Derived Maintenance
personnel without required
access authorization.
Protect (i.e., physically control
and securely store) information
3.8.1 Basic Media Protection
system media containing CUI,
both paper and digital.
Limit access to CUI on information

system media to authorized users.
Sanitize or destroy information

system media containing CUI
before disposal or release for
reuse.
Mark media with necessary CUI

3.8.4 Derived Media Protection markings and distribution
limitations.
Control access to media
containing CUI and maintain
3.8.5 Derived Media Protection accountability for media during
transport outside of controlled
areas.
Implement cryptographic
mechanisms to protect the
confidentiality of CUI stored on
3.8.6 Derived Media Protection
digital media during transport
unless otherwise protected by
alternative physical safeguards.
Control the use of removable

3.8.7 Derived Media Protection media on information system
components.
Prohibit the use of portable

storage devices when such
devices have no identifiable
owner.
Protect the confidentiality of
backup CUI at storage locations.
Screen individuals prior to

Personnel
3.9.1 Basic authorizing access to information
Security
systems containing CUI.
Ensure that CUI and information

Personnel systems containing CUI are
3.9.2 Basic protected during and after
Security
personnel actions such as
terminations and transfers.
Limit physical access to

Physical systems, equipment, and the
3.10.1 Basic
Protection respective operating
environments to authorized
individuals.
Protect and monitor the physical
Physical
3.10.2 Basic facility and support infrastructure
Protection
for those information systems.
Physical Escort visitors and monitor visitor

3.10.3 Derived
Protection activity.
Physical Maintain audit logs of physical

3.10.4 Derived
Protection access.
Physical Control and manage physical

3.10.5 Derived
Protection access devices.
Enforce safeguarding measures
Physical
3.10.6 Derived for CUI at alternate work sites
Protection
(e.g., telework sites).
Periodically assess the risk to

organizational operations
(including mission, functions,
image, or reputation),
organizational assets, and
3.11.1 Basic Risk Assessment
individuals, resulting from the
operation of organizational
information systems and the
associated processing, storage, or
transmission of CUI.
Scan for vulnerabilities in the

information system and
3.11.2 Derived Risk Assessment applications periodically and
when new vulnerabilities affecting
the system are identified.
Remediate vulnerabilities in
3.11.3 Derived Risk Assessment accordance with assessments of
risk.
Periodically assess the security
controls in organizational
Security
3.12.1 Basic information systems to determine
Assessment
if the controls are effective in
their application.
Develop and implement plans of

action designed to correct
Security deficiencies and reduce or
3.12.2 Basic
Assessment eliminate vulnerabilities in
systems.
Monitor information system

Security security controls on an ongoing
3.12.3 Basic
Assessment basis to ensure the continued
effectiveness of the controls.
Monitor, control, and protect

organizational communications
(i.e., information transmitted or
System and received by organizational
3.13.1 Basic Communications
information systems) at the
Protection
external boundaries and key
internal boundaries of the
Employ architectural designs,
software development
System and techniques, and systems
3.13.2 Basic Communications engineering principles that
Protection promote effective information
security within organizational
System and Separate user functionality from

3.13.3 Derived Communications information system management
Protection functionality.
System and Prevent unauthorized and

3.13.4 Derived Communications unintended information transfer
Protection via shared system resources.
Implement subnetworks for

System and publicly accessible system
3.13.5 Derived Communications components that are physically or
Protection logically separated from internal
networks.
Deny network communications
System and traffic by default and allow
3.13.6 Derived Communications network communications traffic
Protection by exception (i.e., deny all, permit
by exception).
Prevent remote devices from

simultaneously establishing non-
System and remote connections with the
3.13.7 Derived Communications information system and
Protection communicating via some other
connection to resources in
external networks.
Implement cryptographic
mechanisms to prevent
System and unauthorized disclosure of CUI
3.13.8 Derived Communications
during transmission unless
Protection
otherwise protected by
alternative physical safeguards.
Terminate network connections

System and associated with communications
3.13.9 Derived Communications sessions at the end of the sessions
Protection or after a defined period of
inactivity.
Establish and manage
System and
cryptographic keys for
cryptography employed in the
Protection
information system;
System and Employ FIPS-validated

3.13.11 Derived Communications cryptography when used to
Protection protect the confidentiality of CUI.
Prohibit remote activation of

System and collaborative computing devices
3.13.12 Derived Communications and provide indication of devices
Protection in use to users present at the
device.
System and Control and monitor the use of

mobile code.
Protection
System and Control and monitor the use of
3.13.14 Derived Communications Voice over Internet Protocol
Protection (VoIP) technologies.
System and
Protect the authenticity of
communications sessions.
Protection
System and Protect the confidentiality of CUI

at rest.
Protection
System and Identify, report, and correct

3.14.1 Basic Information information and information
Integrity system flaws in a timely manner.
Provide protection from malicious
System and
code at appropriate locations
3.14.2 Basic Information
within organizational information
Integrity
systems.
Monitor information system

System and
security alerts and advisories and
3.14.3 Basic Information
take appropriate actions in
Integrity
response.
System and Update malicious code protection

3.14.4 Derived Information mechanisms when new releases
Integrity are available.
Perform periodic scans of the

System and information system and real-time
3.14.5 Derived Information scans of files from external
Integrity sources as files are downloaded,
opened, or executed.
Monitor the information system
System and including inbound and outbound
3.14.6 Derived Information communications traffic, to detect
Integrity attacks and indicators of potential
attacks.
System and
Identify unauthorized use of the
3.14.7 Derived Information
information system.
Integrity
NIST 800-171 Compliance Scoping Guide
for more information you may contact us at info@FirstTeamCyber.com or 877-684-TEA
Response
Maintain list of authorized users defining their identity and associated role and sync with system, application and data layers.
authorized before access is granted.
Utilize access control lists (derived from 3.1.1) to limit access to applications and data based on role and/or identity. Log acce
Provide architectual solutions to control the flow of system data. The solutions may include firewalls, proxies, encryption, and
If a system user accesses data as well as maintains the system in someway, create separate accounts with approriate access l
Only grant enough privileges to a system user to allow them to sufficiently fulfill their job duties. 3.1.4 references account sep
Users with multiple accounts (as defined in 3.1.4 and 3.1.5) must logon with the least privileged account. Most likely, this will
REWORD. POLICY
Enable auditing of all privileged functions, and control access using access control lists based on identity or role.
Configure system to lock logon mechanism for a predetermined time and lock user account out of system after a predetermin
attempts.
Logon screen should display appropriate notices.
Configure system to lock session after a predetermined time of inactivity. Allow user to lock session for temporary absence.
Configure system to end a user session after a predetermined time based on duration and/or inactivity of session.
Run network and system monitoring applications to monitor remote system access and log accordingly. Control remote acce
applications, firewalling appropriately, and utilize end to end encryption with appropriate access (re 3.1.1)
Any application used to remotely access the system must use approved encryption methods.
Remote access is by authorized methods only and is maintained by IT Operations.
Remote access for privileged actions is only permitted for necessary operational functions.
Organization officials will authorize the use of wireless technologies and provide guidance on their use. Wireless network acc
established guidelines, monitored, and controlled.
Wireless access will restricted to authorized users only and encrypted according to industry best practices.
Organization officials will establish guidelines for the use of mobile devices and restrict the operation of those devices to the
monitored and controlled.
Mobile devices will be encrypted.

Guidelines and restrictions will be placed on the use of personally owned or external system access. Only authorized individu
access and those systems must meet the security standards set out by the organization.
Guidelines and restrictions will be placed on the use of portable storage devices.
Only authorized individuals will post information on publically accessible information systems. Authorized individuals will be t
public information is not posted. Public information will be reviewed annually to ensure that non-public information is not po
Users, managers, and system administrators of the information system will receive initial and annual training commensurate
responsibilities. The training will provide a basic understanding of the need for information security, applicable policies, stan
to the security of the information system, as well as user actions to maintain security and respond to suspected security incid
address awareness of the need for operations security.
Personnel with security-related duties and responsibilities will receive initial and annual training on their specific operational,
roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Training will address
related to environmental and physical security risks, as well as training on indications of potentially suspicious email or web c
suspicious communications and other anomalous system behavior.
Users, managers, and administrators of the information system will receive annual training on potential indicators and possib
threat, to include long-term job dissatisfaction, attempts to gain unauthorized accesss to information, unexplained access to
or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, proced
practices. Security training will include how to communicate employee and management concerns regarding potential indica
accordance with established organizational policies and procedures.
The organization creates, protects, retains information system audit records for between 30-days and 1-year (depending on d
regulations) in order to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropri
activity.
The organization correlates network activity to individual user information order to uniquely trace and hold accountable user
unauthorized actions.
The organization reviews and updates audited events annually or in the event of substantial system changes or as needed, to
system is capable of auditing the following events, to ensure coordination with other organizational entities requiring audit-r
provide a rational for why auditable events are deemed adequate to support security investigations.
The information system alerts personnel with security responsibilities in the event of an audit processing failure, and maintai
servers until log delivery to central repositories can be re-established.
The organization employs automated mechanisms across different repositories to integrate audit review, analysis, correlation
order to support organizational processes for investigation and response to suspicious activities, as well as gain organization-
The information system's audit capability supports an audit reduction and report generation capability that supports on-dem
and reporting requirements and after-the-fact security investigations; and does not alter the original content or time ordering
system provides the capability to process audit records for events based on a variety of unique fields, to include user identity
dates, system resources, IP, or information object accessed.
The information system uses internal system clocks to generate time stamps for audit records, and records time stamps that
compares system clocks with authoritative NTP servers, and synchronizes system clocks when the time difference is greater t
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
The organization authorizes access to management of audit functionality to only authorized individuals with a designated aud
Baseline configurations will be developed, documented, and maintained for each information system type. Baseline configura
versions and patch level, configuration parameters, network information including topologies, and communications with con
configurations will be updated as needed to accomodate security risks or software changes. Baseline configurations will be de
conjunction with the CISO (or equivalent) and the information security owner. Deviations from baseline configurations will be
Security settings will be included as part of baseline configurations. Security settings will reflect the most restrictive appropria
requirements. Changes or deviations to security settings will be documented.
Changes or deviations to information system security control configurations that affect compliance requirements will be revie
change advisory board. The changes will also be tracked and documented in an approved service management system (ITSM
service. Change control tracking will be audited annually.
Changes or deviations that affect information system security controls pertaining to compliance requirments will be tested pr
their effectiveness. Only those changes or deviations that continue to meet compliance requirements will be approved and im
Only those individuals approved to make physical or logical changes on information systems will be allowed to do so. Authori
approved and documented by the service owner and IT security. All change documentation will include the authorized perso
Information systems will be configured to deliver one function per system where practical.
Only those ports and protocols necessary to provide the service of the information system will be configured for that system.
necessary to provide the service of the information system will not be configured or enabled. Systems services will be review
essential for the function of that system.
The information system will be configured to only allow authorized software to run. The system will be configured to disallow
software. The controls for allowing or disallowing the running of software may include but is not limited to the use of firewall
user operational controls.
User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must
Systems will make use of institutionally assigned accounts for unique access by individual. Should service accounts be necess
authentication, the accounts will be created by the central identity management team and assigned to a member of the rese
service accounts are managed centrally and deprovisioned automatically when an individual leaves.
Per control 3.5.1, the accounts in use will be assigned and managed by the university's central identity management system.
part of the established account creation process. Accounts are uniquely assigned to faculty, staff upon hire; students upon m
sponsored by an authorized faculty or staff member. Access to data associated with the project is controlled through role-bas
project's PI. Initial passwords are randomly generated strings provided via a password reset mechanism to each facutly, staff,
password must be reset upon first use. All passwords are at least 8 characters, and require a mix of upper and lower case lett
characters. OPTIONAL: Access to the project data stored in (INSERT LOCATION) requires use of institutional multifactor authe
faculty and staff receive their account and instructions for creating a password from HR during the hiring process. New stude
their account via registered email with an activation link to set their initial password. Passwords may be reset by contacting t
proof of identity, or using the online reset service using pre-defined challenge and response questions. Default passwords for
changed before they are introduced to the network. Passwords are stored centrally in institutionally-managed authentication
Kerberos) and hashed using <INSERT HASHING ALGORITHM?>. Encrypted transmission of passwords is required.
Any network access to servers and virtual machines hosting the project data requires multifactor authentication provided by
the account is privileged or unprivileged.
Only anti-replay authentication mechanisms will be used. The authentication front-end technologies include shibboleth, SSH,
protocol, and <VENDOR> SSL VPN. Backend authentication mechanisms in use include Kerberos and Active Directory.
Per control 3.5.1, the accounts in use will be assigned and managed by the university's central identity management system.
part of the established account creation process. Accounts are uniquely assigned to faculty, staff, students and affiliates (gue
not reused.
User accounts or identifiers associated with a project or contract covered by NIST 800-171 are monitored for inactivity. Accou
systems after 90/180/365 days of inactivity.
Account passwords must be a minimum of 8 characters and a mix of upper/lower case, numbers and symbols.
Passwords may not be re-used for <XX days>. OR
Users may not re-use the same password when changing their password for at least XX changes.
New employees will receive an account and instructions for creating a password from HR during the hiring process. New stud
their account via email with an activation link to set their initial password. Temporary password activation links are sent to va
students should they require a password reset or change. Temporary passwords are only good to allow for a password reset.
Passwords are not stored in reversible encryption form in any of our systems. Instead, they are stored as one-way hashes con
Specifically, passwords stored in the MIT Kerberos system make use of of AES256 keys generated using a hashing algorithm t
password and includes various salting data, which is then encrypted on disk in a master key. On the AD domain controllers, p
NTLMv2 hashed passwords and associated Kerberos AES keys.
The most basic feedback control is never informing the user in an error message what part of the of the authentication transa
shibboleth, for example, the error message is generic regardless of whether the userid was mistyped, the password was wron
there was a problem with the MFA credential provided — the failure simply says that the credentials were invalid. Likewise, u
at the Kerberos KDCs don’t distinguish between the “principal not found” and the “invalid key” case. LDAP-based authenticati
“failure to bind” message from both the main LDAPs and the AD.
Develop an institutional incident response policy; specifically outline requirements for handling of incidents involvoing CUI.
Develop an institutional incident response policy; specifically outline requirements for tracking and reporting of incidents invo
officials.
Develop an institutional incident response policy; specifically outline requirements for regular testing and reviews/improvem
capabilities.
All systems, devices, supporting systems for organizational information systems must be maintained according to manufactu
organizationally defined schedules
Organizations will put in place controls that limit the tools, techniques, mechanisms and personnel that will be used to maint
devices, and supporting systems. This can include a lists of authorized tools, authorized personnel, and authorized technique
maintenance must occur within the context of other information systems controls in place.
Any media that is removed from the premises for maintenance or disposal must be sanitized according to the organization's m
Any media that is provided by authorized maintenance personnel (and not normal Systems administrators/owners) for troub
other maintenance must be run through an anti-virus/anti-malware program prior to use in an organizational information sys
All remote access to an information system for maintenance or diagnostics must occur via an approved remote solution using
A remote session must be disconnected when maintenance is complete
All activities of maintenance personnel who do not normally have access to a system must be monitored. The organization w
for supervision.
Responsible parties for data in these systems will document and ensure proper authorization controls for data in media and p
data access contols and media policy will be enforced to ensure proper access controls.
All CUI systems will be managed under least access rules.
All managed data storage will be erased, encrypted or destroyed using mechanisms with sufficient power to ensure that no u
storage devices identified in the workflow of these systems/services.
All CUI system will be identified with an asset control identifier

Only approved individuals are to have access to media from CUI systems. Chain of evidence will be maintained for any media
systems.
All CUI data on media will be encrypted or physically locked prior to transport outside of the institutions secure locations.
Removable media will only be allowed if there are processes in place to control them. Removable media must be able to supp
key vaulting must be utilized to ensure recoverabliity
Only approved portable storage devices under asset management are to be used to store CUI data.
Data backups will be encrypted on media before removal from a secured facility
The organization will screen individuals prior to authorizing access to the information system, in accordance with applicable f
Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assig
include, for example, position sensitivity background screening requirements.
The organzation will disable information system accesss prior to individual termination or transfer. Within 24 hours of termin
organization will revoke any authenticators/credentials associated with the individual, retrieve all organizational information
the individual, retain access to organizational information and information systems formerly controlled by the individual, and
security office and data owner of the change in authorization.
The Area/Building Manager will desginate building areas as "sensitve" and design physical security protections (including gua
readers, etc) as necessary to limit physical access to the area to only authorized individuals. Output devices such as printers s
where their use does not expose data to unauthorized individuals.
The Area/Building Manager will review the location and type of physical security in use (including guards, locks, card readers,
suitability for the organization's needs.
All visitors to sensitive areas will be escorted by an authorized employee at all times.
Logs of physical access to sensitive areas are maintained according to retention policies. This includes authorized access as w
Physical access devices (such as card readers, proximity readers, and locks) will be maintained and operated according to the
recommendations. These devices will be updated with any changed access control information as necessary to prevent unau
Area/Building Manager will review the location and type of each physical access device and evaluate its suitability for the org
All alternate sites where sensitive data is stored or processed must meet the same physical security requirements as the main
The stewards of the system/services will provide an initial and periodic risk assessment. The assessments will be impact scro
in the environment that may affect the system or service, changes in use of or infrastructure will be documented and assesse
analysis is to be a living document and incorporated into a larger risk assessment profile for the system/service.
Systems will be periodically scanned for common and new vulnerabilities. Any vulnerability not documented will be risk asse
Reports regarding the scans will be made available to system stewards and owners in a timely manner.
Stewards and owners upon recognition of any vulnerablity will provide an action plan for remediation, acceptance, aversion o
vulnerability risk including a reasonable time frame for implementation. All high vulnerabilities will be prioritized.
An annual security assessment will be conducted to ensure that security controls are implemented correctly and meet the se
compliance environment. The assessment scope includes all information systems and networks in or directly connected to th
and all security controls and procedures necessary to meet the compliance requirements of the environment. The assessmen
limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews,
interviews. A representative sampling of systems will be assessed. Information Security, or an independent security auditor, w
A final written assessment report and findings will be provided to the CIO at the conclusion of the assessment.
An action plan to remediate identified weaknesses or deficiencies will be maintained. The action plan will designate remediati
each item. Definiciencies and weaknesses identified in security controls assessments, security impact analyses, and
continuous monitoring activities will be added to the action plan within 30 days of the findings being reported.
Continuous monitoring tools will be deployed for front Internet facing systems or those used to store or transmit sensitive da
will be monitored for privileged access, permission changes, kernel modifications, and binary changes, against a control and s
monitoring reports and alerts will be reviewed daily. Unauthorized changes or unauthorized access will be reported to the CIS
owner within 24 hours of it being reported.
Enumerate policies for managed interfaces such as gateways, routers, firewalls, VPNs; organizational DMZs; and restricting ex
designated servers.
Outline organizational information security policies, to include standards for architectural design, software development, and
principles designed to promote information security.
Enumerate the physical or logical controls used to separate user functionality from system management-related functionality
administration (e.g. privilege) options are not available to general users).
Enumerate the controls implemented to prevent object reuse and to protect residual information.
Outline the policies for organizational DMZs.

Document all business need exceptions to network communications traffic (inbound/outbound) “deny all” policies.
Outline controls to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions
Outline the processes and automated mechanisms used to provide encryption of CUI during transmission; or document all al
used to provide confidentiality of CUI during transmission.
Outline controls for terminating communications sessions on both internal and external networks (e.g., deallocating TCP/IP a
institute time periods of inactivity based on type of network accesses.
Outline the processes and automated mechanisms used to provide key management within the information system (should a
regulations, and policies).
Outline where FIPS-validated cryptographic is used.
Enumerate actions to remove or disable collaborative computing devices from information systems housing CUI; and to notif
computing devices are in use (e.g., cameras, microphones, etc.).
Define limits of mobile code usage, establish usage restrictions, and specifically authorize use of mobile code (e.g., Java, Activ
information system.
Define and establish usage restrictions, and specifically authorize the business necessary use of VoIP technologies within an in
Outline the controls implemented to protect session communications (e.g., the controls implemented to validate identities an
protect against MITM attacks, session hijacking, and insertion of false information into sessions).
Outline controls used to protect CUI while stored in organizational information systems.
The organization will perform all security-relevant software updates, to include patching, service packs, hot fixes, and anti-vir
response to identified system flas and vulnerabilities within the time prescribed by organizational policy (Critical/High: 5 days
Available). When available, managers and administrators of the information system will rely on centralized management of t
to include the use of automated update software, patch management tools, and automated status scanning.
The organization will employ malicious code protection mechanisms at information system entry and exit points to minimize
code. These protection mechanisms may include, for example, firewalls, electronic mail servers, web servers, proxy servers,
workstations, notebook computers, and mobile devices.
The organization will receive security alerts, advisories, and directives from reputable external agencies, and disseminate this
with need-to-know in the organization. In the event of alerts, advisories, or directives that have widespread impact on the or
directives will be disseminated directly to information system users, managers, and administrators.
The organization will update information system protection mechanisms within 5 days of new releases.
The organization will perform quarterly scans of the information system, as well as real-time scanning of files from external s
The organizaiton will monitor the information system to detect attacks and indicators of potential attacks, as well as unautho
remote connections. The organization will strategically deploy monitoring devices within the information system to collect e
Information gained from these monitoring tools will be protected from unauthorized access, modification, and deletion.
The organization will monitor the information system to identify unauthorized access and use, as well as potential misuse of t
Responsible Party: IT
Operations, Security DFARS 7012 (2013)
Office, and/or Data Covered
Custodian
IT Operations, Data
AC-2
Custodian
IT Operations, Data
AC-2
Custodian
IT Operations Yes
IT Operations No
IT Operations AC-6
IT Operations no
IT Operations No
IT Operations Yes
IT Operations No
IT Operations AC-11(1)
IT Operations No
IT Operations No
IT Operations Yes
IT Operations No
IT Operations No
Security Office, IT
No
Operations
IT Operations Yes
Security Office, IT
Yes
Operations
IT Operations No
Security Office Ac-20(1)
Security Office Yes
Security Office, IT
Yes
Operations
Data Custodian,
AT-2
Security Office
Data Custodian,
AT-2
Security Office
Data Custodian,
No
Security Office
IT Operations AU-2, AU-3
IT Operations AU-2, AU-3

IT Operations No
IT Operations No
IT Operations AU-6(1)
IT Operations Yes
IT Operations AU-8
IT Operations Yes
IT Operations No
IT Operations CM-2, CM-6, CM-8

IT Operations CM-2, CM-6, CM-8
IT Operations No
IT Operations No
Security Office No
IT Operations Yes
IT Operations No
IT Operations No
IT Operations No
IT Operations IA-2
IT Operations, Security
IA-2
Office, Data Custodian
No
No
IT Operations Yes
Yes
IT Operations Yes
IT Operations Yes
IT Operations Yes
Yes
Yes
Security Office IR-2, IR-4, IR-5, IR-6

Security Office IR-2, IR-4, IR-5, IR-6
Security Office No
IT Operations No
IT Operations No
Data Custodian No
Data Custodian No
Data Custodian No
Data Custodian Yes

Data Custodian MP-4, MP-6
Data Custodian MP-4, MP-6
MP-4, MP-6
Data Custodian No
Data Custodian No
Data Custodian No
Data Custodian No
Data Custodian No
Data Custodian Yes
Data Custodian No
Data Custodian No
IT Operations PE-2, PE-5

IT Operations PE-2, PE-5
IT Operations Yes
IT Operations Yes
IT Operations Yes
IT Operations No
Data Custodian,
No
Security Office
Security Office RA-5
Data Custodian, IT
Yes
Operations
Security Office No
Security Office No
Security Office No
IT Operations SC-7
IT Operations SC-7
IT Operations Yes
IT Operations Yes
IT Operations SC-7
Security Office No
IT Operations No
IT Operations SC-8(1)
IT Operations No
IT Operations No
IT Operations Yes
IT Operations Yes
IT Operations No
IT Operations No
IT Operations No
IT Operations Yes
Data Custodian SI-2, SI-3

Data Custodian,
SI-2, SI-3
Security Office
Data Custodian,
SI-2, SI-3
Security Office
Data Custodian,
Yes
Security Office
Security Office Yes

Security Office SI-4
Security Office Yes

NIST 800 171 Compliance Scoping Guide

Uploaded by

Copyright:

Available Formats

You might also like

NIST 800 171 Compliance Scoping Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NIST 800 171 Compliance Scoping Guide

Uploaded by

Copyright:

Available Formats

for more guidance you can call

NIST 800-171 Control Number Control Type Control Family

Limit information system access

Limit information system access

Control the flow of CUI in

Employ the principle of least

Use non-privileged accounts or

Prevent non-privileged users from

Provide privacy and security

Use session lock with pattern-

Terminate (automatically) a user

Route remote access via managed

Authorize remote execution of

Protect wireless access using

Control connection of mobile

3.1.19 Derived Access Control Encrypt CUI on mobile devices.

Limit use of organizational

Control information posted or

Ensure that managers, systems

Provide security awareness

Create, protect, and retain

Ensure that the actions of

Audit and Alert in the event of an audit

Use automated mechanisms to

Audit and Provide audit reduction and

Protect audit information and

Audit and Limit management of audit

Establish and maintain baseline

Configuration Analyze the security impact of

Define, document, approve, and

Restrict, disable, and prevent the

Configuration Control and monitor user-

Authenticate (or verify) the

Use multifactor authentication for

Identification and Disable identifiers after a defined

Enforce a minimum password

Identification and Prohibit password reuse for a

Identification and Store and transmit only encrypted

Identification and Obscure feedback of

Establish an operational incident-

Incident Test the organizational incident

Provide effective controls on the

Check media containing

Supervise the maintenance

Limit access to CUI on information

Sanitize or destroy information

Mark media with necessary CUI

Control the use of removable

Prohibit the use of portable

Screen individuals prior to

Ensure that CUI and information

Limit physical access to

Physical Escort visitors and monitor visitor

Physical Maintain audit logs of physical

Physical Control and manage physical

Periodically assess the risk to

Scan for vulnerabilities in the