NIST SP 800-171 vRev 2
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
This is a reference tool, not an authoritative source. For official documentation, visit csrc.nist.gov.
110 All
3.1 — Access Control (22 requirements)
3.1.1Access Control - Basic
3.1.2Access Control - Basic
3.1.3Access Control - Derived
3.1.4Access Control - Derived
3.1.5Access Control - Derived
3.1.6Access Control - Derived
3.1.7Access Control - Derived
3.1.8Access Control - Derived
3.1.9Access Control - Derived
3.1.10Access Control - Derived
3.1.11Access Control - Derived
3.1.12Access Control - Derived
3.1.13Access Control - Derived
3.1.14Access Control - Derived
3.1.15Access Control - Derived
3.1.16Access Control - Derived
3.1.17Access Control - Derived
3.1.18Access Control - Derived
3.1.19Access Control - Derived
3.1.20Access Control - Derived
3.1.21Access Control - Derived
3.1.22Access Control - Derived
3.2 — Awareness and Training (3 requirements)
3.3 — Audit and Accountability (9 requirements)
3.3.1Audit and Accountability - Basic
3.3.2Audit and Accountability - Basic
3.3.3Audit and Accountability - Derived
3.3.4Audit and Accountability - Derived
3.3.5Audit and Accountability - Derived
3.3.6Audit and Accountability - Derived
3.3.7Audit and Accountability - Derived
3.3.8Audit and Accountability - Derived
3.3.9Audit and Accountability - Derived
3.4 — Configuration Management (9 requirements)
3.4.1Configuration Management - Basic
3.4.2Configuration Management - Basic
3.4.3Configuration Management - Derived
3.4.4Configuration Management - Derived
3.4.5Configuration Management - Derived
3.4.6Configuration Management - Derived
3.4.7Configuration Management - Derived
3.4.8Configuration Management - Derived
3.4.9Configuration Management - Derived
3.5 — Identification and Authentication (11 requirements)
3.5.1Identification and Authentication - Basic
3.5.2Identification and Authentication - Basic
3.5.3Identification and Authentication - Derived
3.5.4Identification and Authentication - Derived
3.5.5Identification and Authentication - Derived
3.5.6Identification and Authentication - Derived
3.5.7Identification and Authentication - Derived
3.5.8Identification and Authentication - Derived
3.5.9Identification and Authentication - Derived
3.5.10Identification and Authentication - Derived
3.5.11Identification and Authentication - Derived
3.6 — Incident response (3 requirements)
3.7 — Maintenance (6 requirements)
3.8 — Media Protection (9 requirements)
3.9 — Personnel Security (2 requirements)
3.10 — Physical Protection (6 requirements)
3.11 — Risk Assessment (3 requirements)
3.12 — Security Assessment (4 requirements)
3.13 — System and Communications Protection (16 requirements)
3.13.1System and Communications Protection - Basic
3.13.2System and Communications Protection - Basic
3.13.3System and Communications Protection - Derived
3.13.4System and Communications Protection - Derived
3.13.5System and Communications Protection - Derived
3.13.6System and Communications Protection - Derived
3.13.7System and Communications Protection - Derived
3.13.8System and Communications Protection - Derived
3.13.9System and Communications Protection - Derived
3.13.10System and Communications Protection - Derived
3.13.11System and Communications Protection - Derived
3.13.12System and Communications Protection - Derived
3.13.13System and Communications Protection - Derived
3.13.14System and Communications Protection - Derived
3.13.15System and Communications Protection - Derived
3.13.16System and Communications Protection - Derived
3.14 — System and Information Integrity (7 requirements)
3.14.1System and Information Integrity - Basic
3.14.2System and Information Integrity - Basic
3.14.3System and Information Integrity - Basic
3.14.4System and Information Integrity - Derived
3.14.5System and Information Integrity - Derived
3.14.6System and Information Integrity - Derived
3.14.7System and Information Integrity - Derived