Under active development — Content is continuously updated and improved

Home / Frameworks / NIST SP 800-171

NIST SP 800-171 vRev 2

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

This is a reference tool, not an authoritative source. For official documentation, visit csrc.nist.gov.

110 All

3.2 — Awareness and Training (3 requirements)

3.2.1Awareness and Training - Basic

3.2.2Awareness and Training - Basic

3.2.3Awareness and Training - Derived

3.3 — Audit and Accountability (9 requirements)

3.3.1Audit and Accountability - Basic

3.3.2Audit and Accountability - Basic

3.3.3Audit and Accountability - Derived

3.3.4Audit and Accountability - Derived

3.3.5Audit and Accountability - Derived

3.3.6Audit and Accountability - Derived

3.3.7Audit and Accountability - Derived

3.3.8Audit and Accountability - Derived

3.3.9Audit and Accountability - Derived

3.4 — Configuration Management (9 requirements)

3.4.1Configuration Management - Basic

3.4.2Configuration Management - Basic

3.4.3Configuration Management - Derived

3.4.4Configuration Management - Derived

3.4.5Configuration Management - Derived

3.4.6Configuration Management - Derived

3.4.7Configuration Management - Derived

3.4.8Configuration Management - Derived

3.4.9Configuration Management - Derived

3.5 — Identification and Authentication (11 requirements)

3.5.1Identification and Authentication - Basic

3.5.2Identification and Authentication - Basic

3.5.3Identification and Authentication - Derived

3.5.4Identification and Authentication - Derived

3.5.5Identification and Authentication - Derived

3.5.6Identification and Authentication - Derived

3.5.7Identification and Authentication - Derived

3.5.8Identification and Authentication - Derived

3.5.9Identification and Authentication - Derived

3.5.10Identification and Authentication - Derived

3.5.11Identification and Authentication - Derived

3.6 — Incident response (3 requirements)

3.6.1Incident response - Basic

3.6.2Incident response - Basic

3.6.3Incident response - Derived

3.7 — Maintenance (6 requirements)

3.7.1Maintenance - Basic

3.7.2Maintenance - Basic

3.7.3Maintenance - Derived

3.7.4Maintenance - Derived

3.7.5Maintenance - Derived

3.7.6Maintenance - Derived

3.8 — Media Protection (9 requirements)

3.8.1Media Protection - Basic

3.8.2Media Protection - Basic

3.8.3Media Protection - Basic

3.8.4Media Protection - Derived

3.8.5Media Protection - Derived

3.8.6Media Protection - Derived

3.8.7Media Protection - Derived

3.8.8Media Protection - Derived

3.8.9Media Protection - Derived

3.9 — Personnel Security (2 requirements)

3.9.1Personnel Security - Basic

3.9.2Personnel Security - Basic

3.10 — Physical Protection (6 requirements)

3.10.1Physical Protection - Basic

3.10.2Physical Protection - Basic

3.10.3Physical Protection - Derived

3.10.4Physical Protection - Derived

3.10.5Physical Protection - Derived

3.10.6Physical Protection - Derived

3.11 — Risk Assessment (3 requirements)

3.11.1Risk Assessment - Basic

3.11.2Risk Assessment - Derived

3.11.3Risk Assessment - Derived

3.12 — Security Assessment (4 requirements)

3.12.1Security Assessment - Basic

3.12.2Security Assessment - Basic

3.12.3Security Assessment - Basic

3.12.4Security Assessment - Basic

3.13 — System and Communications Protection (16 requirements)

3.13.1System and Communications Protection - Basic

3.13.2System and Communications Protection - Basic

3.13.3System and Communications Protection - Derived

3.13.4System and Communications Protection - Derived

3.13.5System and Communications Protection - Derived

3.13.6System and Communications Protection - Derived

3.13.7System and Communications Protection - Derived

3.13.8System and Communications Protection - Derived

3.13.9System and Communications Protection - Derived

3.13.10System and Communications Protection - Derived

3.13.11System and Communications Protection - Derived

3.13.12System and Communications Protection - Derived

3.13.13System and Communications Protection - Derived

3.13.14System and Communications Protection - Derived

3.13.15System and Communications Protection - Derived

3.13.16System and Communications Protection - Derived

3.14 — System and Information Integrity (7 requirements)

3.14.1System and Information Integrity - Basic

3.14.2System and Information Integrity - Basic

3.14.3System and Information Integrity - Basic

3.14.4System and Information Integrity - Derived

3.14.5System and Information Integrity - Derived

3.14.6System and Information Integrity - Derived

3.14.7System and Information Integrity - Derived