The 110 security requirements of NIST 800-171 are organized into 14 families. Each requirement family contains the wants associated with the overall security topic of the family. These groupings are intended to make sure it’s straightforward for a corporation to use and self-assess the appliance of the wants.
The 14 requirement families of NIST 800-171 are:
- Access Control
This family of requirements deals with access to networks, systems, and knowledge. 22 different requirements help to make sure only authorized users access the system. Requirements also safeguard the flow of sensitive information within the network and supply guidance on network devices within the system.
- Awareness and Training
Three separate requirements structure the ‘Awareness and Training’ section. Requirements include ensuring system administrators and users are conscious of security risks and related cyber security procedures, which employees are trained to hold out security-related roles.
- Audit and Accountability
Nine requirements structure this family of requirements, which specialize in auditing and analyzing system and event logs. The wants affect the recording and storage of reliable audit records to permit for best practice analysis and reporting. Regular review of system security logs can help uncover and mitigate cyber security incidents.
- Configuration Management
Nine requirements cover the right configuration of hardware, software, and devices across the organization’s system and network. This family of requirements also focuses on preventing unauthorized software installation and therefore the restriction of nonessential programs.
- Identification and Authentication
This family of requirements ensures only authenticated users can access the organization’s network or systems. 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Requirements make sure the distinction between privileged and non-privileged accounts is reflected in network access.
- Incident Response
Three requirements affect the potential of the organization to reply to serious cyber security incidents. the wants ensure procedures are in situ to detect, contain and recover a variety of incidents within the organization. This includes proper training and planning, also as regular testing of capabilities.
Six requirements provide insight into best practice system and network maintenance procedures. This includes the performance of normal system maintenance and ensuring any external maintenance is secure and authorized.
- Media Protection
Nine security requirements help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats.
- Personnel Security
Two security requirements cover the safeguarding of CUI about personnel and employees. the primary covers the necessity for security screening of people before accessing systems that contain CUI. The second ensures CUI is protected during termination or transfer of personnel, including the return of building passes or hardware and devices.
- Physical Protection
Six security requirements affect physical access to CUI within the organization, including the control of visitor access to figure sites. Hardware, devices, and equipment also are required to be limited to authorized personnel.
- Risk Assessment
Two requirements cover the performance and analysis of normal risk assessments. Organizations are required to regularly scan systems for vulnerabilities, keeping network devices and software updated and secure. By regularly highlighting and strengthening vulnerabilities, the safety of the whole system is improved.
- Security Assessment
Four requirements cover the event, monitoring and renewal of system controls, and security plans. By periodically reviewing security procedures, vulnerabilities across the organization are highlighted and improved.
- System and Communications Protection
16 requirements cover the monitoring and safeguarding of systems and therefore the transmission of data. Requirements include the prevention of unauthorized information transfer and therefore the denial by default of network communication traffic. Requirements also include best practice cryptography policies to guard CUI. NIST 800-171 requirements this ensures plans to safeguard CUI remain effective.
- System and knowledge
Integrity Seven requirements affect monitoring and ongoing protection of systems within the organization. This includes processes for identifying unauthorized use of systems and therefore the monitoring of system security alerts.