Â鶹´«Ã½Information Security
University of Â鶹´«Ã½ System

NIST SP 800-171 R2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Last Updated 2022-07-15

NIST SP 800-171 R2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 R2 lists the security requirements for nonfederal systems and organizations that process, store, and transmit Controlled Unclassified Information (CUI).

Controlled Unclassified Information (CUI) is defined as information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended ().

There are fourteen families of security requirements, as depicted below.

Family
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communications Protection
Maintenance System and Information Integrity

Within each family there are Basic and Derived security requirements. There are a total of 110 security requirements (30 Basic and 80 Derived) within NIST SP 800-171 R2.

Basic Security Requirements: The basic security requirements are obtained from [FIPS 200 - ], which provides the high-level and fundamental security requirements for federal information and systems.

Derived Security Requirements: The derived security requirements, which supplement the basic security requirements, are taken from the security controls in [SP 800-53].

Source:

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information

  • NIST SP 800-171A helps determine if a security requirement within NIST SP 800-171 R2 has been satisfied.
  • This document details how to accomplish the Assessment Objectives in the most effective and efficient way to provide confidence and evidence the security requirement is satisfied.
  • A system must pass each Assessment Objective before considering the requirement satisfied.
  • There are a total of 320 total Assessment Objectives within NIST SP 800-171A.
  • NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information:

ITS Minimum Security Standards Mapping by NIST SP 800-171 R2

ITS has performed analysis mapping the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 r2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations requirements against the ITS Minimum Security Standards (MSS).

Please visit the specific ITS MSS device type (Endpoints, Servers, Multi-Function Devices) for any additional guidance.

The ITS MSS listed in the table below are abstracted from the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The standards listed are selected based on its applicability to the University of Â鶹´«Ã½.

  • When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
  • When comparing Standards, Acts, or Policies to the ITS Minimum Security Standards, the more stringent standard takes precedence.
  • Standard, Act, or Policy requirements still apply when there is no equivalent ITS Minimum Security Standard.

Please note that the ITS Minimum Security Standard (MSS) mappings are designed as a starting point for implementing their respective Standard, Act, or Policy and are not an indication of compliance. Mappings are selected based on relativity and may differ in implementation based on device type.


ITS Minimum Security Standards Mapping by NIST SP 800-171 R2
#

Standards

NIST SP 800-171 R2 Security Requirement
Automatic Updates / Patching Security Requirement
Enable automatic updates for operating systems and software if possible.
Install standard operating system and software security patches on a monthly basis for servers and networking devices.
    • Ensure operating systems and software are fully supported by the vendor. End-of-life software and operating systems do not receive security updates.
    Firewall Configuration Security Requirement
    Configure and manage a host based firewall or a network firewall device with a default deny-all policy. Only necessary services should be allowed through the firewall.
    • Password Security Security Requirement
    Ensure that all devices have strong and unique password protected individual logins for all local and remote accounts.
    • Ensure that all web applications have strong and unique password protected individual logins for administrative accounts.
    • Data Management Security Requirement
    Utilize the University's records management process for .
    Securely dispose of Institutional Data following our Disposal Guidelines.
    • Use Spirion to scan for sensitive and regulated information on a monthly basis.
    Encryption Security Requirement
    Ensure that data is encrypted with a secure encryption algorithm while in transit.
    • Ensure that files containing Sensitive and Regulated data stored on servers, applications, databases, and removable media are encrypted or stored in an encrypted file container such as Veracrypt.
    • Utilize Â鶹´«Ã½Enterprise Dropbox to store Sensitive and Regulated data online.
    Asset Management Security Requirement
    Complete the Annual Device Registration.
    Maintain an updated inventory of all software and hardware assets.
    • Ensure that hardware and software assets are actively receiving security updates.
    Review asset lists on a monthly basis. Remove or replace unauthorized and end-of-life assets if possible.
    • Data Inventory Security Requirement
    Complete the annual Personal Information Survey (PIS).
    Removable Media Security Requirement
    Disable autorun / autoplay for removable media.
    Malware Protection Security Requirement
    Install and enable an anti-malware solution.
    • Ensure automatic anti-malware signature updates are enabled.
    • Enable anti-exploitation features.
    • Session Locking / Session Timeout Security Requirement
    Configure a maximum 15 minute session timeout for system access and remote access protocols (SSH, RDP, etc.)
    • Backups Security Requirement
    Maintain an offline, off-site, or cloud-based backup instance.
    Ensure backups are encrypted.
    • Perform automatic backups of systems on at least a weekly basis.
    Multi-Factor Authentication (MFA) Security Requirement
    Enable multi-factor authentication to access externally-exposed applications, remote network access, and administrative access where possible.
    • Utilize Â鶹´«Ã½login for application and web app logins
    • Centralized Logging Security Requirement
    Deploy a centralized log management system for servers and aggregate logs.
    Retain centralized logs for at least 90 days. Adequate log storage must be accounted for.
    Review centralized audit logs on a weekly basis.
    • Secure Access Security Requirement
    Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.).
    • Limit access to MFDs and IoT devices by authorized IPs if possible.
    Secure Configuration Security Requirement
    Ensure that servers and network devices are configured following industry security best practices. CIS Configuration Guides are recommended. Configuration scripts are available upon request.
    • Uninstall or disable unnecessary and unused services on servers and network devices.
    • Event Logging Security Requirement
    Enable logging of system, security, and application events.
    • Retain logs for at least 90 days. Adequate log storage must be accounted for.
    • Review audit logs on a weekly basis.
    • Network Security Security Requirement
    Utilize network segmentation to address least privilege by isolating personal, untrusted, and IoT devices from critical services.
    • Maintain network diagrams.
    Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks.
    • Access Control Security Requirement
    Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications.
    • Grant access and apply access privileges to systems and services on a need to know basis.
    • Revoke privileges to systems and services upon employee termination, rights revocation, or role change.
    Account Management Security Requirement
    Restrict administrator privileges to individually dedicated administrator accounts.
    • Remove dormant accounts (45 days of inactivity).
    • Disable default system and software accounts or make them unusable.
    Review account privileges and permissions quarterly.
    Vulnerability Scanning Security Requirement
    Â鶹´«Ã½Vulnerability Scan Site
    Perform vulnerability scans using or Nessus Agents on a monthly basis.
    • Remediate all High and Critical severity vulnerabilities within 7 days.

    • Sources: