The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. This publication can be used in conjunction with its companion publication, NIST Special Publication 800-171A, which provides a comprehensive set of procedures to assess the security requirements.

Keywords

Controlled Unclassified Information; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; organization-defined parameter; security assessment; security control; security requirement.

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Audience

This publication serves a diverse group of individuals and organizations in the public and private sectors, including:

Federal agencies responsible for managing and protecting CUI
Nonfederal organizations responsible for protecting CUI
Individuals with system development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, systems integrators)
Individuals with acquisition or procurement responsibilities (e.g., contracting officers)
Individuals with system, security, or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, system owners, information security managers)
Individuals with security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, analysts, independent verifiers and validators) The above roles and responsibilities can be viewed from two perspectives:
Federal perspective: The entity establishing and conveying the security requirements in contractual vehicles or other types of agreements
Nonfederal perspective: The entity responding to and complying with the security requirements set forth in contracts or agreements

Patent Disclosure Notice

NOTICE: ITL has requested that holders of patent claims whose use may be required for compliance with the guidance or requirements of this publication disclose such patent claims to ITL. However, holders of patents are not obligated to respond to ITL calls for patents and ITL has not undertaken a patent search in order to identify which, if any, patents may apply to this publication.

As of the date of publication and following call(s) for the identification of patent claims whose use may be required for compliance with the guidance or requirements of this publication, no such patent claims have been identified to ITL.

No representation is made or implied by ITL that licenses are not required to avoid patent infringement in the use of this publication.

Acknowledgments

The authors gratefully acknowledge and appreciate the significant contributions from individuals and organizations in the public and private sectors whose constructive comments improved the overall quality, thoroughness, and usefulness of this publication. The authors also wish to thank the NIST technical editing and production staff – Jim Foti, Jeff Brewer, Eduardo Takamura, Isabel Van Wyk, Cristina Ritfeld, Derek Sappington, and Carolyn Schmidt – for their outstanding support in preparing this document for publication. Finally, a special note of thanks goes out to Kelley Dempsey for the initial research and development of the content used in the prototype CUI overlay.

Historical Contributions

The authors also wish to acknowledge the following organizations and individuals for their historic contributions to this publication:

Organizations: National Archives and Records Administration, Department of Defense
Individuals: Carol Bales, Matthew Barrett, Jon Boyens, Devin Casey, Christian Enloe, Gary Guissanie, Peggy Himes, Robert Glenn, Elizabeth Lennon, Vicki Michetti, Dorian Pappas, Karen Quigg, Mark Riddle, Matthew Scholl, Mary Thomas, Murugiah Souppaya, Patricia Toth, and Patrick Viscuso

1. Introduction

Executive Order (EO) 13556 [1] established a government-wide program to standardize the way the executive branch handles Controlled Unclassified Information (CUI).¹ EO 13556 required that the CUI program emphasize openness, transparency, and uniformity of government-wide practices and that the program implementation take place in a manner consistent with Office of Management and Budget (OMB) policies and National Institute of Standards and Technology (NIST) standards and guidelines. As the CUI program Executive Agent, the National Archives and Records Administration (NARA) provides information, guidance, policy, and requirements on handling CUI [4]. This includes approved CUI categories and descriptions, the basis for safeguarding and dissemination controls, and procedures for the use of CUI.² The CUI federal regulation [5] provides guidance to federal agencies on the designation, safeguarding, marking, dissemination, decontrolling, and disposition of CUI; establishes self-inspection and oversight requirements; and delineates other facets of the program.

The CUI regulation requires federal agencies that use federal information systems³ to process, store, or transmit CUI to comply with NIST standards and guidelines. The responsibility of federal agencies to protect CUI does not change when such information is shared with nonfederal organizations.⁴ Therefore, a similar level of protection is needed when CUI is processed, stored, or transmitted by nonfederal organizations using nonfederal systems.⁵ To maintain a consistent level of protection, the security requirements for safeguarding CUI in nonfederal systems and organizations must comply with Federal Information Processing Standards (FIPS 199) publication [6] and FIPS 200 [7]. The requirements are derived from the controls in NIST Special Publication (SP) 800-53 [8]

1.1. Purpose and Applicability

This publication provides federal agencies with recommended security requirements⁶ for protecting the confidentiality of CUI⁷ when such information is resident in nonfederal systems and organizations and where there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI registry [4]. The requirements do not apply to nonfederal organizations that are collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency.⁸

The security requirements in this publication are only applicable to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components.⁹ The requirements are intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.

Appropriately scoping requirements is an important factor in determining protection-related investment decisions and managing security risks for nonfederal organizations. If nonfederal organizations designate system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for CUI and avoid increasing the organization’s security posture beyond what it requires for protecting its missions, operations, and assets.

1.2. Organization of This Publication

The remainder of this special publication is organized as follows:

Section 2 describes the assumptions and methodology used to develop the security requirements for protecting the confidentiality of CUI, the format of the requirements, and the tailoring criteria applied to the NIST guidelines to obtain the requirements.
Section 3 lists the security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.

The following sections provide additional information to support the protection of CUI:

References
Appendix A: Acronyms
Appendix B: Glossary
Appendix C: Tailoring Criteria
Appendix D: Organization-Defined Parameters
Appendix E: Change Log

2. The Fundamentals

This section describes the assumptions and methodology used to develop the requirements to protect the confidentiality of CUI in nonfederal systems and organizations. It also includes the tailoring¹⁰ criteria applied to the controls in SP 800-53 [8].

2.1. Security Requirement Assumptions

The security requirements in this publication are based on the following assumptions:

Federal information designated as CUI has the same value, whether such information resides in a federal or nonfederal system or organization.
Statutory and regulatory requirements for the protection of CUI are consistent in federal and nonfederal systems and organizations.
Safeguards implemented to protect CUI are consistent in federal and nonfederal systems and organizations.
The confidentiality impact value for CUI is no less than moderate.¹¹
Nonfederal organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements.

2.2. Security Requirement Development Methodology

Starting with the SP 800-53 controls in the SP 800-53B [12] moderate baseline, the controls are tailored to eliminate selected controls or parts of controls that are:

Primarily the responsibility of the Federal Government,
Not directly related to protecting the confidentiality of CUI,
Adequately addressed by other related controls,¹² or
Not applicable.

SP 800-171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of CUI. The security requirements are organized into 17 families, as illustrated in Table 1. Each family contains the requirements related to the general security topic of the family. Certain families from SP 800-53 are not included due to the tailoring criteria. For example, the PII Processing and Transparency (PT) family is not included because personally identifiable information (PII) is a category of CUI, and therefore, no additional requirements are specified for confidentiality protection. The Program Management (PM) family is not included because it is not associated with any control baseline. Finally, the Contingency Planning (CP) family is not included because it addresses availability.¹³

  
  Table 1. Security Requirement Families
  
      Access Control
      Maintenance
      Security Assessment and Monitoring
    
      Awareness and Training
      Media Protection
      System and Communications Protection
    
      Audit and Accountability
      Personnel Security
      System and Information Integrity
    
      Configuration Management
      Physical Protection
      Planning
    
      Identification and Authentication
      Risk Assessment
      System and Services Acquisition
    
      Incident Response
       Supply Chain Risk Management

Organization-defined parameters (ODPs) are included in certain security requirements. ODPs provide flexibility through the use of assignment and selection operations to allow federal agencies and nonfederal organizations to specify values for the designated parameters in the requirements.¹⁴ Assignment and selection operations provide the capability to customize the security requirements based on specific protection needs. The determination of ODP values can be guided and informed by laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, the values for the organization-defined parameters become part of the requirement.

ORGANIZATION-DEFINED PARAMETERS

Organization-defined parameters are an important part of a security requirement specification. ODPs provide both the flexibility and specificity needed by organizations to clearly define their CUI security requirements, given the diverse nature of their missions, business functions, operational environments, and risk tolerance. In addition, ODPs support consistent security assessments in determining whether specified security requirements have been satisfied. If a federal agency or a consortium of agencies do not specify a particular value or range of values for an ODP, nonfederal organizations must assign the value or values to complete the security requirement.

A discussion section is included with each requirement. It is derived from the control discussion sections in SP 800-53 and provides additional information to facilitate the implementation and assessment of the requirements. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or influence the solutions that organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and does not reflect the potential options available to organizations. A references section provides the source controls¹⁵ from SP 800-53 and a list of NIST Special Publications with additional information on the topic described in the security requirement. The structure and content of a typical security requirement is provided in the example below.

03.13.11 Cryptographic Protection

Implement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography].

DISCUSSION

Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines. FIPS-validated cryptography is recommended for the protection of CUI.

REFERENCES

Source Control: SC-13

Supporting Publications: FIPS 140-3 [38]

The term organization is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an ODP, an organization can refer to either the federal agency or the nonfederal organization establishing the parameter values for the requirement.

Appendix C describes the security control tailoring criteria used to develop the security requirements and the results of the tailoring process. The appendix provides a list of controls from SP 800-53 that support the requirements and the controls that have been eliminated from the moderate baseline in accordance with the tailoring criteria.

ASSESSING SECURITY REQUIREMENTS
SP 800-171A [84] provides a set of procedures to assess the security requirements described in this publication. The assessment procedures are based on the procedures described in SP 800-53A [57].

3. The Security Requirements

3.1. Access Control

3.2. Awareness and Training

3.3. Audit and Accountability

3.4. Configuration Management

3.5. Identification and Authentication

3.6. Incident Response

3.7. Maintenance

3.8. Media Protection

3.9. Personnel Security

3.10. Physical Protection

3.11. Risk Assessment

3.12. Security Assessment and Monitoring

3.13. System and Communications Protection

3.14. System and Information Integrity

3.15. Planning

3.16. System and Services Acquisition

3.17. Supply Chain Risk Management

References

[1] Executive Order 13556 (2010) Controlled Unclassified Information. (The White House, Washington, DC), DCPD-201000942, November 4, 2010. Available at https://www.govinfo.gov/app/details/DCPD-201000942

[2] Executive Order 13526 (2009) Classified National Security Information. (The White House, Washington, DC), DCPD-200901022, December 29, 2009. Available at https://www.govinfo.gov/app/details/DCPD-200901022

[3] Atomic Energy Act (P.L. 83-703), August 1954. Available at https://www.govinfo.gov/app/details/STATUTE-68/STATUTE-68-Pg919

[4] National Archives and Records Administration (2019) Controlled Unclassified Information (CUI) Registry. Available at https://www.archives.gov/cui

[5] 32 CFR Part 2002 (2016), Controlled Unclassified Information (CUI), September 2016. Available at https://www.govinfo.gov/content/pkg/CFR-2018-title32-vol6/pdf/CFR-2018-title32-vol6-part2002.pdf

[6] National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, DC), Federal Information Processing Standards Publication (FIPS) 199. https://doi.org/10.6028/NIST.FIPS.199

[7] National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, DC), Federal Information Processing Standards Publication (FIPS) 200. https://doi.org/10.6028/NIST.FIPS.200

[8] Joint Task Force (2020) Security and Privacy Controls for Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53, Rev. 5, Includes updates as of December 10, 2020. https://doi.org/10.6028/NIST.SP.800-53r5

[9] Federal Information Security Modernization Act (P.L. 113-283), December 2014. Available at https://www.govinfo.gov/app/details/PLAW-113publ283

[10] Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2021) Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2, Rev. 1. https://doi.org/10.6028/NIST.SP.800-160v2r1

[11] Ross R, Winstead M, McEvilley M (2022) Engineering Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Rev. 1. https://doi.org/10.6028/NIST.SP.800-160v1r1

[12] Joint Task Force (2020) Control Baselines for Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B, Includes updates as of December 10, 2020. https://doi.org/10.6028/NIST.SP.800-53B

[13] Office of Management and Budget Circular A-130, Managing Information as a Strategic Resource, July 2016. Available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf

[14] Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. https://doi.org/10.6028/NIST.SP.800-46r2

[15] Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. https://doi.org/10.6028/NIST.SP.800-57pt1r5

[16] Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. https://doi.org/10.6028/NIST.SP.800-57pt2r1

[17] Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. https://doi.org/10.6028/NIST.SP.800-57pt3r1

[18] Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. https://doi.org/10.6028/NIST.SP.800-77r1

[19] Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. https://doi.org/10.6028/NIST.SP.800-113

[20] Souppaya MP, Scarfone KA (2016) User’s Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. https://doi.org/10.6028/NIST.SP.800-114r1

[21] Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2, Includes updates as of January 19, 2022. https://doi.org/10.6028/NIST.SP.800-121r2-upd1

[22] Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. https://doi.org/10.6028/NIST.SP.800-162

[23] Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. https://doi.org/10.6028/NIST.SP.800-178

[24] Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. https://doi.org/10.6028/NIST.SP.800-192

[25] Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. https://doi.org/10.6028/NIST.IR.7874

[26] Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. https://doi.org/10.6028/NIST.IR.7966

[27] Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. https://doi.org/10.6028/NIST.SP.800-63-3

[28] Howell G, Franklin JM, Sritapan V, Souppaya M, Scarfone K (2023) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 2. https://doi.org/10.6028/NIST.SP.800-124r2

[29] Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. https://doi.org/10.6028/NIST.SP.800-94

[30] Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. https://doi.org/10.6028/NIST.SP.800-97

[31] Souppaya MP, Scarfone KA (2016) User’s Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. https://doi.org/10.6028/NIST.SP.800-114r1

[32] Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. https://doi.org/10.6028/NIST.SP.800-50

[33] Boyens JM, Smith A, Bartol N, Winkler K, Holbrook A, Fallon M (2022) Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161, Rev. 1. https://doi.org/10.6028/NIST.SP.800-161r1

[34] Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. https://doi.org/10.6028/NIST.SP.800-181r1

[35] Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. https://doi.org/10.6028/NIST.SP.800-92

[36] Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. https://doi.org/10.6028/NIST.SP.800-86

[37] Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. https://doi.org/10.6028/NIST.SP.800-101r1

[38] National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. https://doi.org/10.6028/NIST.FIPS.140-3

[39] National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. https://doi.org/10.6028/NIST.FIPS.180-4

[40] National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. https://doi.org/10.6028/NIST.FIPS.202

[41] Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. https://doi.org/10.6028/NIST.SP.800-128

[42] Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. https://doi.org/10.6028/NIST.IR.8011-2

[43] Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. https://doi.org/10.6028/NIST.IR.8011-3

[44] Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. https://doi.org/10.6028/NIST.SP.800-70r4

[45] Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. https://doi.org/10.6028/NIST.SP.800-126r3

[46] Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. https://doi.org/10.6028/NIST.SP.800-167

[47] Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. https://doi.org/10.6028/NIST.SP.800-61r2

[48] Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. https://doi.org/10.6028/NIST.SP.800-84

[49] Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. https://doi.org/10.6028/NIST.SP.800-137

[50] Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. https://doi.org/10.6028/NIST.SP.800-88r1

[51] Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. https://doi.org/10.6028/NIST.SP.800-111

[52] Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. https://doi.org/10.6028/NIST.SP.800-34r1

[53] Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. https://doi.org/10.6028/NIST.SP.800-130

[54] Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. https://doi.org/10.6028/NIST.SP.800-152

[55] Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. https://doi.org/10.6028/NIST.SP.800-30r1

[56] Souppaya MP, Scarfone KA (2022) Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 4. https://doi.org/10.6028/NIST.SP.800-40r4

[57] Joint Task Force Transformation Initiative (2022) Assessing Security and Privacy Controls in Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 5. https://doi.org/10.6028/NIST.SP.800-53Ar5

[58] Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. https://doi.org/10.6028/NIST.SP.800-115

[59] Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. https://doi.org/10.6028/NIST.SP.800-37r2

[60] Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. https://doi.org/10.6028/NIST.SP.800-39

[61] Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. https://doi.org/10.6028/NIST.SP.800-12r1

[62] Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. https://doi.org/10.6028/NIST.SP.800-100

[63] Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. https://doi.org/10.6028/NIST.SP.800-18r1

[64] Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. https://doi.org/10.6028/NIST.SP.800-41r1

[65] Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. https://doi.org/10.6028/NIST.SP.800-125B

[66] Rose S, Borchert O, Mitchell S, Connelly S (2017) Zero Trust Architecture. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-207. https://doi.org/10.6028/NIST.SP.800-207

[67] Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. https://doi.org/10.6028/NIST.SP.800-189

[68] National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197, updated May 9, 2023. https://doi.org/10.6028/NIST.FIPS.197-upd1

[69] McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. https://doi.org/10.6028/NIST.SP.800-52r2

[70] Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. https://doi.org/10.6028/NIST.SP.800-177r1

[71] Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. https://doi.org/10.6028/NIST.SP.800-28ver2

[72] Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. https://doi.org/10.6028/NIST.SP.800-95

[73] Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. https://doi.org/10.6028/NIST.SP.800-56Ar3

[74] Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. https://doi.org/10.6028/NIST.SP.800-56Br2

[75] Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. https://doi.org/10.6028/NIST.SP.800-56Cr2

[76] Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. https://doi.org/10.6028/NIST.SP.800-83r1

[77] Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. https://doi.org/10.6028/NIST.SP.800-45ver2

[78] Committee on National Security Systems (2022) Committee on National Security Systems (CNSS) Glossary. (National Security Agency, Fort George G. Meade, MD), CNSS Instruction 4009. Available at https://www.cnss.gov/CNSS/issuances/Instructions.cfm

[79] Title 44 U.S. Code, Sec. 3552, Definitions. 2017 ed. Available at https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap35-subchapII-sec3552

[80] Title 40 U.S. Code, Sec. 11331, Responsibilities for Federal information systems standards. 2017 ed. Available at https://www.govinfo.gov/app/details/USCODE-2017-title40/USCODE-2017-title40-subtitleIII-chap113-subchapIII-sec11331

[81] Title 44 U.S. Code, Sec. 3502, Definitions. 2017 ed. Available at https://www.govinfo.gov/app/details/USCODE-2021-title44/USCODE-2021-title44-chap35-subchapI-sec3502

[82] Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. https://doi.org/10.6028/NIST.SP.800-81-2

[83] Dempsey K, Pillitteri V, Regenscheid A (2021) Managing the Security of Information Exchanges. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47, Rev. 1. https://doi.org/10.6028/NIST.SP.800-47r1

[84] Ross R, Pillitteri V (2024) Assessing Security Requirements for Controlled Unclassified Information. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171A, Rev. 3. https://doi.org/10.6028/NIST.SP.800-171Ar3

Appendix A. Acronyms

CFR
Code of Federal Regulations

CISA
Cybersecurity and Infrastructure Security Agency

CUI
Controlled Unclassified Information

CVE
Common Vulnerabilities and Exposures

CVSS
Common Vulnerability Scoring System

CWE
Common Weakness Enumeration

DMZ
Demilitarized Zone

EAP
Extensible Authentication Protocol

FIPS
Federal Information Processing Standards

FISMA
Federal Information Security Modernization Act

FTP
File Transfer Protocol

GMT
Greenwich Mean Time

HSM
Hardware Security Module

IEEE
Institute of Electrical and Electronics Engineers

IIoT
Industrial Internet of Things

IoT
Internet of Things

ISOO
Information Security Oversight Office

IT
Information Technology

LSI
Large-Scale Integration

MAC
Media Access Control

NARA
National Archives and Records Administration

NVD
National Vulnerability Database

ODP
Organization-Defined Parameter

OT
Operational Technology

PII
Personally Identifiable Information

PIN
Personal Identification Number

PROM
Programmable Read-Only Memory

ROM
Read-Only Memory

SCAP
Security Content Automation Protocol

SCRM
Supply Chain Risk Management

TCP/IP
Transmission Control Protocol/Internet Protocol

TLS
Transport Layer Security

UTC
Coordinated Universal Time

Appendix B. Glossary

Appendix B provides definitions for the terminology used in SP 800-171r3. The definitions are consistent with the definitions contained in the National Information Assurance Glossary [78] unless otherwise noted.

agency

Any executive agency or department, military department, Federal Government corporation, Federal Government-controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency. [13]

assessment

See security control assessment.

assessor

See security control assessor.

audit log

A chronological record of system activities, including records of system accesses and operations performed in a given period.

audit record

An individual entry in an audit log related to an audited event.

authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system. [7, adapted].

availability

Ensuring timely and reliable access to and use of information. [79]

advanced persistent threat

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives. [60]

authenticator

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

baseline configuration

A documented set of specifications for a system or a configuration item within a system that has been formally reviewed and agreed upon at a given point in time, and that can only be changed through change control procedures.

common secure configuration

Recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. These benchmarks are also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, and security technical implementation guides.

confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [79]

configuration management

A collection of activities focused on establishing and maintaining the integrity of information technology products and systems through the control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

configuration settings

The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the system.

controlled area

Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information or system.

controlled unclassified information

Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. [1]

CUI Executive Agent

The National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO). [5]

CUI program

The executive branch-wide program to standardize CUI handling by all federal agencies. The program includes the rules, organization, and procedures for CUI, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry. [5]

CUI registry

The online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. [5]

cyber-physical systems

Interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.

executive agency

An executive department specified in 5 U.S.C. Sec. 101; a military department specified in 5 U.S.C. Sec. 102; an independent establishment as defined in 5 U.S.C. Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

external network

A network not controlled by the organization

external service provider

See external system service provider.

external system (or component)

A system or component of a system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

external system service

A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by but not a part of the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

external system service provider

A provider of external system services to an organization through a variety of consumer-producer relationships, including joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. [8]

facility

One or more physical locations containing systems or system components that process, store, or transmit information.

federal agency

See executive agency.

federal information system

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [80]

FIPS-validated cryptography

A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet the requirements specified in FIPS Publication 140-3 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.

firmware

Computer programs and data stored in hardware – typically in read-only memory (ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software. [78]

hardware

The material physical components of a system. See software and firmware. [78]

identifier

Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers.

A unique label used by a system to indicate a specific entity, object, or group.

impact

With respect to security, the effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system. With respect to privacy, the adverse effects that individuals could experience when an information system processes their PII.

impact value

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate, or high. [6]

incident

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. [79]

information

Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms. [13]

information flow control

Procedure to ensure that information transfers within a system do not violate the security policy.

information resources

Information and related resources, such as personnel, equipment, funds, and information technology. [81]

information security

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [79]

information system

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [81]

information technology

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use. [13]

insider threat

The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.

integrity

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. [79]

internal network

A network in which the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors or in which the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (with regard to confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.

least privilege

The principle that a security architecture is designed so that each entity is granted the minimum system authorizations and resources needed to perform its function.

malicious code

Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of a system. Examples of malicious code include viruses, worms, Trojan horses, spyware, some forms of adware, or other code-based entities that infect a host.

media

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system. [7]

mobile code

Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

mobile device

A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and e-readers.

multi-factor authentication

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

network

A system implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

network access

Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, the internet).

nonfederal organization

An entity that owns, operates, or maintains a nonfederal system.

nonfederal system

A system that does not meet the criteria for a federal system.

nonlocal maintenance

Maintenance activities conducted by individuals communicating through an external network (e.g., the internet) or an internal network.

NSA-approved cryptography

Cryptography that consists of an approved algorithm, an implementation that has been approved for the protection of classified information and/or controlled unclassified information in a specific environment, and a supporting key management infrastructure. [8]

on behalf of (an agency)

A situation that occurs when: (i) a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information; and (ii) those activities are not incidental to providing a service or product to the government. [5]

organization

An entity of any size, complexity, or positioning within an organizational structure. [7, adapted]

organization-defined parameter

The variable part of a security requirement that is instantiated by an organization during the tailoring process by assigning an organization-defined value as part of the requirement. [8, adapted]

overlay

A specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. [13]

personnel security

The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities requiring trustworthiness. [8]

portable storage device

A system component that can be inserted into and removed from a system and that is used to store information or data (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., compact/digital video disks, flash/thumb drives, external solid-state drives, external hard disk drives, flash memory cards/drives that contain nonvolatile memory).

potential impact

The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals. [6]

privileged account

A system account with the authorizations of a privileged user.

privileged user

A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

records

The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results) that serve as a basis for verifying that the organization and the system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain a complete set of information on particular items)

remote access

Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the internet). Remote access methods include dial-up, broadband, and wireless.

remote maintenance

Maintenance activities conducted by individuals communicating through an external network (e.g., the internet).

replay resistance

Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [13]

risk assessment

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. [55]

sanitization

Actions taken to render data written on media unrecoverable by ordinary and — for some forms of sanitization — extraordinary means.

A process to remove information from media such that data recovery is not possible, including the removal of all classified labels, markings, and activity logs.

security

A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach. [78]

security assessment

See security control assessment.

security control

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information. [13]

security control assessment

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. [13]

security domain

A domain that implements a security policy and is administered by a single authority. [78, adapted]

security functions

The hardware, software, or firmware of the system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

security requirement

A requirement levied on a system or an organization that is derived from applicable laws, Executive Orders, directives, regulations, policies, standards, procedures, or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted. [7, adapted] [8, adapted]

system

See information system.

system component

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware. [41]

system security plan

A document that describes how an organization meets or plans to meet the security requirements for a system. In particular, the system security plan describes the system boundary, the environment in which the system operates, how the security requirements are satisfied, and the relationships with or connections to other systems.

system service

A capability provided by a system that facilitates information processing, storage, or transmission.

threat

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [55]

system user

An individual or (system) process acting on behalf of an individual that is authorized to access a system.

Appendix C. Tailoring Criteria

This appendix describes the security control tailoring criteria used to develop the CUI security requirements. Table 2 lists the available tailoring options and the shorthand tailoring symbols. Table 3 through Table 22 specify the tailoring actions applied to the controls in the SP 800-53 moderate baseline [12] to obtain the security requirements in Sec. 3. The controls and control enhancements are hyperlinked to the NIST Cybersecurity and Privacy Reference Tool, which provides online access to the specific control language and supplemental materials in SP 800- 53.

Table 2. Security Control Tailoring Criteria

TAILORING SYMBOL	TAILORING CRITERIA
NCO	The control is not directly related to protecting the confidentiality of CUI.
FED	The control is primarily the responsibility of the Federal Government.
ORC	The outcome of the control related to protecting the confidentiality of CUI is adequately covered by other related controls.¹⁶
N/A	The control is not applicable.
CUI	The control is directly related to protecting the confidentiality of CUI.

Table 3. Access Control (AC)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
AC-01	Policy and Procedures	CUI	03.15.01
AC-02	Account Management	CUI	03.01.01
AC-02(01)	Account Management \| Automated System Account Management	NCO	—
AC-02(02)	Account Management \| Automated Temporary and Emergency Account Management	NCO	—
AC-02(03)	Account Management \| Disable Accounts	CUI	03.01.01
AC-02(04)	Account Management \| Automated Audit Actions	NCO	—
AC-02(05)	Account Management \| Inactivity Logout	CUI	03.01.01
AC-02(13)	Account Management \| Disable Accounts for High-Risk Individuals	CUI	03.01.01
AC-03	Access Enforcement	CUI	03.01.02
AC-04	Information Flow Enforcement	CUI	03.01.03
AC-05	Separation of Duties	CUI	03.01.04
AC-06	Least Privilege	CUI	03.01.05
AC-06(01)	Least Privilege \| Authorize Access to Security Functions	CUI	03.01.05
AC-06(02)	Least Privilege \| Non-Privileged Access for Non-Security Functions	CUI	03.01.06
AC-06(05)	Least Privilege \| Privileged Accounts	CUI	03.01.06
AC-06(07)	Least Privilege \| Review of User Privileges	CUI	03.01.05
AC-06(09)	Least Privilege \| Log Use of Privileged Functions	CUI	03.01.07
AC-06(10)	Least Privilege \| Prohibit Non-Privileged Users From Executing Privileged Functions	CUI	03.01.07
AC-07	Unsuccessful Logon Attempts	CUI	03.01.08
AC-08	System Use Notification	CUI	03.01.09
AC-11	Device Lock	CUI	03.01.10
AC-11(01)	Device Lock \| Pattern-Hiding Displays	CUI	03.01.10
AC-12	Session Termination	CUI	03.01.11
AC-14	Permitted Actions Without Identification or Authentication	FED	—
AC-17	Remote Access	CUI	03.01.02
AC-17(01)	Remote Access \| Monitoring and Control	NCO	—
AC-17(02)	Remote Access \| Protection of Confidentiality and Integrity Using Encryption	CUI	03.13.08
AC-17(03)	Remote Access \| Managed Access Control Points	CUI	03.01.12
AC-17(04)	Remote Access \| Privileged Commands and Access	CUI	03.01.12
AC-18	Wireless Access	CUI	03.01.16
AC-18(01)	Wireless Access \| Authentication and Encryption	CUI	03.01.16
AC-18(03)	Wireless Access \| Disable Wireless Networking	CUI	03.01.16
AC-19	Access Control for Mobile Devices	CUI	03.01.18
AC-19(05)	Access Control for Mobile Devices \| Full Device or Container-Based Encryption	CUI	03.01.18
AC-20	Use of External Systems	CUI	03.01.20
AC-20(01)	Use of External Systems \| Limits on Authorized Use	CUI	03.01.20
AC-20(02)	Use of External Systems \| Portable Storage Devices – Restricted Use	CUI	03.01.20
AC-21	Information Sharing	FED	—
AC-22	Publicly Accessible Content	CUI	03.01.22

Table 4. Awareness and Training (AT)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
AT-01	Policy and Procedures	CUI	03.15.01
AT-02	Literacy Training and Awareness	CUI	03.02.01
AT-02(02)	Literacy Training and Awareness \| Insider Threat	CUI	03.02.01
AT-02(03)	Literacy Training and Awareness \| Social Engineering and Mining	CUI	03.02.01
AT-03	Role-Based Training	CUI	03.02.02
AT-04	Training Records	NCO	—

Table 5. Audit and Accountability (AU)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
AU-01	Policy and Procedures	CUI	03.15.01
AU-02	Event Logging	CUI	03.03.01
AU-03	Content of Audit Records	CUI	03.03.02
AU-03(01)	Additional Audit Information	CUI	03.03.02
AU-04	Audit Log Storage Capacity	NCO	—
AU-05	Response to Audit Logging Process Failures	CUI	03.03.04
AU-06	Audit Record Review, Analysis, and Reporting	CUI	03.03.05
AU-06(01)	Audit Record Review, Analysis, and Reporting \| Automated Process Integration	NCO	—
AU-06(03)	Audit Record Review, Analysis, and Reporting \| Correlate Audit Record Repositories	CUI	03.03.05
AU-07	Audit Record Reduction and Report Generation	CUI	03.03.06
AU-07(01)	Audit Record Reduction and Report Generation \| Automatic Processing	NCO	—
AU-08	Time Stamps	CUI	03.03.07
AU-09	Protection of Audit Information	CUI	03.03.08
AU-09(04)	Protection of Audit Information \| Access by Subset of Privileged Users	CUI	03.03.08
AU-11	Audit Record Retention	CUI	03.03.03
AU-12	Audit Record Generation	CUI	03.03.03

Table 6. Assessment, Authorization, and Monitoring (CA)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
CA-01	Policy and Procedures	CUI	03.15.01
CA-02	Control Assessments	CUI	03.12.01
CA-02(01)	Control Assessments \| Independent Assessors	NCO	—
CA-03	Information Exchange	CUI	03.12.05
CA-05	Plan of Action and Milestones	CUI	03.12.02
CA-06	Authorization	FED	—
CA-07	Continuous Monitoring	CUI	03.12.03
CA-07(01)	Continuous Monitoring \| Independent Assessment	NCO	—
CA-07(04)	Continuous Monitoring \| Risk Monitoring	NCO	—
CA-09	Internal System Connections	NCO	—

Table 7. Configuration Management (CM)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
CM-01	Policy and Procedures	CUI	03.15.01
CM-02	Baseline Configuration	CUI	03.04.01
CM-02(02)	Baseline Configuration \| Automation Support for Accuracy and Currency	NCO	—
CM-02(03)	Baseline Configuration \| Retention of Previous Configurations	NCO	—
CM-02(07)	Baseline Configuration \| Configure Systems and Components for High-Risk Areas	CUI	03.04.12
CM-03	Configuration Change Control	CUI	03.04.03
CM-03(02)	Configuration Change Control \| Testing, Validation, and Documentation of Changes	NCO	—
CM-03(04)	Configuration Change Control \| Security and Privacy Representatives	NCO	—
CM-04	Impact Analyses	CUI	03.04.04
CM-04(02)	Impact Analyses \| Verification of Controls	CUI	03.04.04
CM-05	Access Restrictions for Change	CUI	03.04.05
CM-06	Configuration Settings	CUI	03.04.02
CM-07	Least Functionality	CUI	03.04.06
CM-07(01)	Least Functionality \| Periodic Review	CUI	03.04.06
CM-07(02)	Least Functionality \| Prevent Program Execution	ORC	—
CM-07(05)	Least Functionality \| Authorized Software – Allow by Exception	CUI	03.04.08
CM-08	System Component Inventory	CUI	03.04.10
CM-08(01)	System Component Inventory \| Updates During Installation and Removal	CUI	03.04.10
CM-08(03)	System Component Inventory \| Automated Unauthorized Component Detection	NCO	—
CM-09	Configuration Management Plan	NCO	—
CM-10	Software Usage Restrictions	NCO	—
CM-11	User-Installed Software	ORC	—
CM-12	Information Location	CUI	03.04.11
CM-12(01)	Information Location \| Automated Tools to Support Information Location	NCO	—

Table 8. Contingency Planning (CP)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
CP-01	Policy and Procedures	NCO	—
CP-02	Contingency Plan	NCO	—
CP-02(01)	Contingency Plan \| Coordinate With Related Plans	NCO	—
CP-02(03)	Contingency Plan \| Resume Mission and Business Functions	NCO	—
CP-02(08)	Contingency Plan \| Identify Critical Assets	NCO	—
CP-03	Contingency Training	NCO	—
CP-04	Contingency Plan Testing	NCO	—
CP-04(01)	Contingency Plan Testing \| Coordinate Related Plans	NCO	—
CP-06	Alternate Storage Site	NCO	—
CP-06(01)	Alternate Storage Site \| Separation of Primary Site	NCO	—
CP-06(03)	Alternate Storage Site \| Accessibility	NCO	—
CP-07	Alternate Processing Site	NCO	—
CP-07(01)	Alternate Processing Site \| Separation of Primary Site	NCO	—
CP-07(02)	Alternate Processing Site \| Accessibility	NCO	—
CP-07(03)	Alternate Processing Site \| Priority of Service	NCO	—
CP-08	Telecommunications Services	NCO	—
CP-08(01)	Telecommunications Services \| Priority of Service Provisions	NCO	—
CP-08(02)	Telecommunications Services \| Single Points of Failure	NCO	—
CP-09	System Backup	CUI	03.08.09
CP-09(01)	System Backup \| Testing for Reliability and Integrity	NCO	—
CP-09(08)	System Backup \| Cryptographic Protection	CUI	03.08.09
CP-10	System Recovery and Reconstitution	NCO	—
CP-10(02)	System Recovery and Reconstitution \| Transaction Recovery	NCO	—

Table 9. Identification and Authentication (IA)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
IA-01	Policy and Procedures	CUI	03.15.01
IA-02	Identification and Authentication (Organizational Users)	CUI	03.05.01
IA-02(01)	Identification and Authentication (Organizational Users) \| Multi-Factor Authentication to Privileged Accounts	CUI	03.05.03
IA-02(02)	Identification and Authentication (Organizational Users) \| Multi-Factor Authentication to Non-Privileged Accounts	CUI	03.05.03
IA-02(08)	Identification and Authentication (Organizational Users) \| Access to Accounts – Replay Resistant	CUI	03.05.04
IA-02(12)	Identification and Authentication (Organizational Users) \| Acceptance of PIV Credentials	FED	—
IA-03	Device Identification and Authentication	CUI	03.05.02
IA-04	Identifier Management	CUI	03.05.05
IA-04(04)	Identifier Management \| Identify User Status	CUI	03.05.05
IA-05	Authenticator Management	CUI	03.05.12
IA-05(01)	Authenticator Management \| Password-Based Authentication	CUI	03.05.07
IA-05(02)	Authenticator Management \| Public Key-Based Authentication	FED	—
IA-05(06)	Authenticator Management \| Protection of Authenticators	FED	—
IA-06	Authentication Feedback	CUI	03.05.11
IA-07	Cryptographic Module Authentication	FED	—
IA-08	Identification and Authentication (Non-Organizational Users)	FED	—
IA-08(01)	Identification and Authentication (Non-Organizational Users) \| Acceptance of PIV Credentials From Other Agencies	FED	—
IA-08(02)	Identification and Authentication (Non-Organizational Users) \| Acceptance of External Authenticators	FED	—
IA-08(04)	Identification and Authentication (Non-Organizational Users) \| Use of Defined Profiles	FED	—
IA-11	Re-Authentication	CUI	03.05.01
IA-12	Identity Proofing	FED	—
IA-12(02)	Identity Proofing \| Identity Evidence	FED	—
IA-12(03)	Identity Proofing \| Identity Evidence Validation and Verification	FED	—
IA-12(05)	Identity Proofing \| Address Confirmation	FED	—

Table 10. Incident Response (IR)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
IR-01	Policy and Procedures	CUI	03.15.01
IR-02	Incident Response Training	CUI	03.06.04
IR-03	Incident Response Testing	CUI	03.06.03
IR-03(02)	Incident Response Testing \| Coordinate With Related Plans	NCO	—
IR-04	Incident Handling	CUI	03.06.01
IR-04(01)	Incident Handling \| Automated Incident Handling Processes	NCO	—
IR-05	Incident Monitoring	CUI	03.06.02
IR-06	Incident Reporting	CUI	03.06.02
IR-06(01)	Incident Reporting \| Automated Reporting	NCO	—
IR-06(03)	Incident Reporting \| Supply Chain Coordination	NCO	—
IR-07	Incident Response Assistance	CUI	03.06.02
IR-07(01)	Incident Response Assistance \| Automation Support for Availability of Information and Support	NCO	—
IR-08	Incident Response Plan	CUI	03.06.05

Table 11. Maintenance (MA)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
MA-01	System Maintenance Policy and Procedures	CUI	03.15.01
MA-02	Controlled Maintenance	NCO	—
MA-03	Maintenance Tools	CUI	03.07.04
MA-03(01)	Maintenance Tools \| Inspect Tools	CUI	03.07.04
MA-03(02)	Maintenance Tools \| Inspect Media	CUI	03.07.04
MA-03(03)	Maintenance Tools \| Prevent Unauthorized Removal	CUI	03.07.04
MA-04	Nonlocal Maintenance	CUI	03.07.05
MA-05	Maintenance Personnel	CUI	03.07.06
MA-06	Timely Maintenance	NCO	—

Table 12. Media Protection (MP)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
MP-01	Policy and Procedures	CUI	03.15.01
MP-02	Media Access	CUI	03.08.02
MP-03	Media Marking	CUI	03.08.04
MP-04	Media Storage	CUI	03.08.01
MP-05	Media Transport	CUI	03.08.05
MP-06	Media Sanitization	CUI	03.08.03
MP-07	Media Use	CUI	03.08.07

Table 13. Physical and Environmental Protection (PE)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
PE-01	Policy and Procedures	CUI	03.15.01
PE-02	Physical Access Authorizations	CUI	03.10.01
PE-03	Physical Access Control	CUI	03.10.07
PE-04	Access Control for Transmission	CUI	03.10.08
PE-05	Access Control for Output Devices	CUI	03.10.07
PE-06	Monitoring Physical Access	CUI	03.10.02
PE-06(01)	Monitoring Physical Access \| Intrusion Alarms and Surveillance Equipment	NCO	—
PE-08	Visitor Access Records	NCO	—
PE-09	Power Equipment and Cabling	NCO	—
PE-10	Emergency Shutoff	NCO	—
PE-11	Emergency Power	NCO	—
PE-12	Emergency Lighting	NCO	—
PE-13	Fire Protection	NCO	—
PE-13(01)	Fire Protection \| Detection Systems – Automatic Activation and Notification	NCO	—
PE-14	Environmental Controls	NCO	—
PE-15	Water Damage Protection	NCO	—
PE-16	Delivery and Removal	NCO	—
PE-17	Alternate Work Site	CUI	03.10.06

Table 14. Planning (PL)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
PL-01	Policy and Procedures	CUI	03.15.01
PL-02	System Security and Privacy Plans	CUI	03.15.02
PL-04	Rules of Behavior	CUI	03.15.03
PL-04(01)	Rules of Behavior \| Social Media and External Site/Application Usage Restrictions	NCO	—
PL-08	Security and Privacy Architectures	NCO	—
PL-10	Baseline Selection	FED	—
PL-11	Baseline Tailoring	FED	—

Table 15. Program Management (PM)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
PM-01	Information Security Program Plan	N/A	—
PM-02	Information Security Program Leadership Role	N/A	—
PM-03	Information Security and Privacy Resources	N/A	—
PM-04	Plan of Action and Milestones Process	N/A	—
PM-05	System Inventory	N/A	—
PM-05(01)	System Inventory \| Inventory of Personally Identifiable Information	N/A	—
PM-06	Measures of Performance	N/A	—
PM-07	Enterprise Architecture	N/A	—
PM-07(01)	Enterprise Architecture \| Offloading	N/A	—
PM-08	Critical Infrastructure Plan	N/A	—
PM-09	Risk Management Strategy	N/A	—
PM-10	Authorization Process	N/A	—
PM-11	Mission and Business Process Definition	N/A	—
PM-12	Insider Threat Program	N/A	—
PM-13	Security and Privacy Workforce	N/A	—
PM-14	Testing, Training, and Monitoring	N/A	—
PM-15	Security and Privacy Groups and Associations	N/A	—
PM-16	Threat Awareness Program	N/A	—
PM-16(01)	Threat Awareness Program \| Automated Means for Sharing Threat Intelligence	N/A	—
PM-17	Protecting Controlled Unclassified Information on External Systems	N/A	—
PM-18	Privacy Program Plan	N/A	—
PM-19	Privacy Program Leadership Role	N/A	—
PM-20	Dissemination of Privacy Program Information	N/A	—
PM-20(01)	Dissemination of Privacy Program Information \| Privacy Policies on Websites, Applications, and Digital Services	N/A	—
PM-21	Accounting of Disclosures	N/A	—
PM-22	Personally Identifiable Information Quality Management	N/A	—
PM-23	Data Governance Body	N/A	—
PM-24	Data Integrity Board	N/A	—
PM-25	Minimization of PII Used in Testing, Training, and Research	N/A	—
PM-26	Complaint Management	N/A	—
PM-27	Privacy Reporting	N/A	—
PM-28	Risk Framing	N/A	—
PM-29	Risk Management Program Leadership Roles	N/A	—
PM-30	Supply Chain Risk Management Strategy	N/A	—
PM-30(01)	Supply Chain Risk Management Strategy \| Suppliers of Critical or Mission-Essential Items	N/A	—
PM-31	Continuous Monitoring Strategy	N/A	—
PM-32	Purposing	N/A	—

Table 16. Personnel Security (PS)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
PS-01	Policy and Procedures	CUI	03.15.01
PS-02	Position Risk Designation	FED	—
PS-03	Personnel Screening	CUI	03.09.01
PS-04	Personnel Termination	CUI	03.09.02
PS-05	Personnel Transfer	CUI	03.09.02
PS-06	Access Agreements	NCO	—
PS-07	External Personnel Security	NCO	—
PS-08	Personnel Sanctions	NCO	—
PS-09	Position Descriptions	FED	—

Table 17. PII Processing and Transparency (PT)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
PT-01	Policy and Procedures	N/A	—
PT-02	Authority to Process Personally Identifiable Information	N/A	—
PT-02(01)	Authority to Process Personally Identifiable Information \| Data Tagging	N/A	—
PT-02(02)	Authority to Process Personally Identifiable Information \| Automation	N/A	—
PT-03	Personally Identifiable Information Processing Purposes	N/A	—
PT-03(01)	Personally Identifiable Information Processing Purposes \| Data Tagging	N/A	—
PT-03(02)	Personally Identifiable Information Processing Purposes \| Automation	N/A	—
PT-04	Consent	N/A	—
PT-04(01)	Consent \| Tailored Consent	N/A	—
PT-04(02)	Consent \| Just-in-Time Consent	N/A	—
PT-04(03)	Consent \| Revocation	N/A	—
PT-05	Privacy Notice	N/A	—
PT-05(01)	Privacy Notice \| Just-in-Time Notice	N/A	—
PT-05(02)	Privacy Notice \| Privacy Act Statements	N/A	—
PT-06	System of Records Notice	N/A	—
PT-06(01)	System of Records Notice \| Routine Uses	N/A	—
PT-06(02)	System of Records Notice \| Exemption Rules	N/A	—
PT-07	Specific Categories of Personally Identifiable Information	N/A	—
PT-07(01)	Specific Categories of Personally Identifiable Information \| Social Security Numbers	N/A	—
PT-07(02)	Specific Categories of Personally Identifiable Information \| First Amendment Information	N/A	—
PT-08	Computer Matching Requirements	N/A	—

Table 18. Risk Assessment (RA)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
RA-01	Policy and Procedures	CUI	03.15.01
RA-02	Security Categorization	FED	—
RA-03	Risk Assessment	CUI	03.11.01
RA-03(01)	Risk Assessment \| Supply Chain Risk Assessment	CUI	03.11.01
RA-05	Vulnerability Monitoring and Scanning	CUI	03.11.02
RA-05(02)	Vulnerability Monitoring and Scanning \| Update Vulnerabilities to be Scanned	CUI	03.11.02
RA-05(05)	Vulnerability Monitoring and Scanning \| Privileged Access	ORC	—
RA-05(11)	Vulnerability Monitoring and Scanning \| Public Disclosure Program	NCO	—
RA-07	Risk Response	CUI	03.11.04
RA-09	Criticality Analysis	NCO	—

Table 19. System and Services Acquisition (SA)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
SA-01	Policy and Procedures	CUI	03.15.01
SA-02	Allocation of Resources	NCO	—
SA-03	System Development Life Cycle	NCO	—
SA-04	Acquisition Process	NCO	—
SA-04(01)	Acquisition Process \| Functional Properties of Controls	NCO	—
SA-04(02)	Acquisition Process \| Design and Implementation Information for Controls	NCO	—
SA-04(09)	Acquisition Process \| Functions, Ports, Protocols, and Services in Use	NCO	—
SA-04(10)	Acquisition Process \| Use of Approved PIV Products	FED	—
SA-05	System Documentation	NCO	—
SA-08	Security and Privacy Engineering Principles	CUI	03.16.01
SA-09	External System Services	CUI	03.16.03
SA-09(02)	External System Services \| Identification of Functions, Ports, Protocols, and Services	ORC	—
SA-10	Developer Configuration Management	NCO	—
SA-11	Developer Testing and Evaluation	NCO	—
SA-15	Development Process, Standards, and Tools	NCO	—
SA-15(03)	Development Process, Standards, and Tools \| Criticality Analysis	NCO	—
SA-22	Unsupported System Components	CUI	03.16.02

Table 20. System and Communications Protection (SC)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
SC-01	Policy and Procedures	CUI	03.15.01
SC-02	Separation of System and User Functionality	ORC	—
SC-04	Information in Shared System Resources	CUI	03.13.04
SC-05	Denial-of-Service Protection	NCO	—
SC-07	Boundary Protection	CUI	03.13.01
SC-07(03)	Boundary Protection \| Access Points	ORC	—
SC-07(04)	Boundary Protection \| External Telecommunications Services	ORC	—
SC-07(05)	Boundary Protection \| Deny by Default – Allow by Exception	CUI	03.13.06
SC-07(07)	Boundary Protection \| Split Tunneling for Remote Devices	ORC	—
SC-07(08)	Boundary Protection \| Route Traffic to Authenticated Proxy Servers	ORC	—
SC-08	Transmission Confidentiality and Integrity	CUI	03.13.08
SC-08(01)	Transmission Confidentiality and Integrity \| Cryptographic Protection	CUI	03.13.08
SC-10	Network Disconnect	CUI	03.13.09
SC-12	Cryptographic Key Establishment and Management	CUI	03.13.10
SC-13	Cryptographic Protection	CUI	03.13.11
SC-15	Collaborative Computing Devices and Applications	CUI	03.13.12
SC-17	Public Key Infrastructure Certificates	FED	—
SC-18	Mobile Code	CUI	03.13.13
SC-20	Secure Name/Address Resolution Service (Authoritative Source)	NCO	—
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	NCO	—
SC-22	Architecture and Provisioning for Name/Address Resolution Service	NCO	—
SC-23	Session Authenticity	CUI	03.13.15
SC-28	Protection of Information at Rest	CUI	03.13.08
SC-28(01)	Protection of Information at Rest \| Cryptographic Protection	CUI	03.13.08
SC-39	Process Isolation	NCO	—

Table 21. System and Information Integrity (SI)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
SI-01	Policy and Procedures	CUI	03.15.01
SI-02	Flaw Remediation	CUI	03.14.01
SI-02(02)	Flaw Remediation \| Automated Flaw Remediation Status	NCO	—
SI-03	Malicious Code Protection	CUI	03.14.02
SI-04	System Monitoring	CUI	03.14.06
SI-04(02)	System Monitoring \| Automated Tools and Mechanisms for Real-Time Analysis	NCO	—
SI-04(04)	System Monitoring \| Inbound and Outbound Communications Traffic	CUI	03.14.06
SI-04(05)	System Monitoring \| System-Generated Alerts	NCO	—
SI-05	Security Alerts, Advisories, and Directives	CUI	03.14.03
SI-07	Software, Firmware, and Information Integrity	NCO	—
SI-07(01)	Software, Firmware, and Information Integrity \| Integrity Checks	NCO	—
SI-07(07)	Software, Firmware, and Information Integrity \| Integration of Detection and Response	NCO	—
SI-08	Spam Protection	ORC	—
SI-08(02)	Spam Protection \| Automatic Updates	NCO	—
SI-10	Information Input Validation	NCO	—
SI-11	Error Handling	NCO	—
SI-12	Information Management and Retention	CUI	03.14.08
SI-16	Memory Protection	NCO	—

Table 22. Supply Chain Risk Management (SR)

NIST SP 800-53 CONTROLS MODERATE BASELINE		TAILORING CRITERIA	SECURITY REQUIREMENT
SR-01	Policy and Procedures	CUI	03.15.01
SR-02	Supply Chain Risk Management Plan	CUI	03.17.01
SR-02(01)	Supply Chain Risk Management Plan \| Establish SCRM Team	NCO	—
SR-03	Supply Chain Controls and Processes	CUI	03.17.03
SR-05	Acquisition Strategies, Tools, and Methods	CUI	03.17.02
SR-06	Supplier Assessments and Reviews	CUI	03.11.01
SR-08	Notification Agreements	NCO	—
SR-10	Inspection of Systems or Components	NCO	—
SR-11	Component Authenticity	NCO	—
SR-11(01)	Component Authenticity \| Anti-Counterfeit Training	NCO	—
SR-11(02)	Component Authenticity \| Configuration Control for Component Service and Repair	NCO	—
SR-12	Component Disposal	ORC	—

Appendix D. Organization-Defined Parameters

This appendix lists the organization-defined parameters (ODPs) that are included in the security requirements in Sec. 3. The ODPs are listed sequentially by requirement family, beginning with the first requirement containing an ODP in the Access Control (AC) family and ending with the last requirement containing an ODP in the Supply Chain Risk Management (SR) family.

Table 23. Organization-Defined Parameters

SECURITY REQUIREMENT	ORGANIZATION-DEFINED PARAMETER
03.01.01	03.01.01.f.02	[Assignment: organization-defined time period]
03.01.01	03.01.01.g.01	[Assignment: organization-defined time period]
03.01.01	03.01.01.g.02	[Assignment: organization-defined time period]
03.01.01	03.01.01.g.03	[Assignment: organization-defined time period]
03.01.01	03.01.01.h	[Assignment: organization-defined time period]
03.01.01	03.01.01.h	[Assignment: organization-defined circumstances]
03.01.05	03.01.05.b	[Assignment: organization-defined security functions]
03.01.05	03.01.05.b	[Assignment: organization-defined security-relevant information]
03.01.05	03.01.05.c	[Assignment: organization-defined frequency]
03.01.06	03.01.06.a	[Assignment: organization-defined personnel or roles]
03.01.08	03.01.08.a	[Assignment: organization-defined number]
03.01.08	03.01.08.a	[Assignment: organization-defined time period]
03.01.08	03.01.08.b	[Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action]
03.01.10	03.01.10.a	[Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]
03.01.11	03.01.11	[Assignment: organization-defined conditions or trigger events requiring session disconnect]
03.01.20	03.01.20.b	[Assignment: organization-defined security requirements]
03.02.01	03.02.01.a.01	[Assignment: organization-defined frequency]
03.02.01	03.02.01.a.02	[Assignment: organization-defined events]
03.02.01	03.02.01.b	[Assignment: organization-defined frequency]
03.02.01	03.02.01.b	[Assignment: organization-defined events]
03.02.02	03.02.02.a.01	[Assignment: organization-defined frequency]
03.02.02	03.02.02.a.02	[Assignment: organization-defined events]
03.02.02	03.02.02.b	[Assignment: organization-defined frequency]
03.02.02	03.02.02.b	[Assignment: organization-defined events]
03.03.01	03.03.01.a	[Assignment: organization-defined event types]
03.03.01	03.03.01.b	[Assignment: organization-defined frequency]
03.03.04	03.03.04.a	[Assignment: organization-defined time period]
03.03.04	03.03.04.b	[Assignment: organization-defined additional actions]
03.03.05	03.03.05.a	[Assignment: organization-defined frequency]
03.03.07	03.03.07.b	[Assignment: organization-defined granularity of time measurement]
03.04.01	03.04.01.b	[Assignment: organization-defined frequency]
03.04.02	03.04.02.a	[Assignment: organization-defined configuration settings]
03.04.06	03.04.06.b	[Assignment: organization-defined functions, ports, protocols, connections, and/or services]
03.04.06	03.04.06.c	[Assignment: organization-defined frequency]
03.04.08	03.04.08.c	[Assignment: organization-defined frequency]
03.04.10	03.04.10.b	[Assignment: organization-defined frequency]
03.04.12	03.04.12.a	[Assignment: organization-defined system configurations]
03.04.12	03.04.12.b	[Assignment: organization-defined security requirements]
03.05.01	03.05.01.b	[Assignment: organization-defined circumstances or situations requiring re-authentication]
03.05.02	03.05.02	[Assignment: organization-defined devices or types of devices]
03.05.05	03.05.05.c	[Assignment: organization-defined time period]
03.05.05	03.05.05.d	[Assignment: organization-defined characteristic identifying individual status]
03.05.07	03.05.07.a	[Assignment: organization-defined frequency]
03.05.07	03.05.07.f	[Assignment: organization-defined composition and complexity rules]
03.05.12	03.05.12.e	[Assignment: organization-defined frequency]
03.05.12	03.05.12.e	[Assignment: organization-defined events]
03.06.02	03.06.02.b	[Assignment: organization-defined time period]
03.06.02	03.06.02.c	[Assignment: organization-defined authorities]
03.06.03	03.06.03	[Assignment: organization-defined frequency]
03.06.04	03.06.04.a.01	[Assignment: organization-defined time period]
03.06.04	03.06.04.a.03	[Assignment: organization-defined frequency]
03.06.04	03.06.04.b	[Assignment: organization-defined frequency]
03.06.04	03.06.04.b	[Assignment: organization-defined events]
03.08.07	03.08.07.a	[Assignment: organization-defined types of system media]
03.09.01	03.09.01.b	[Assignment: organization-defined conditions requiring rescreening]
03.09.02	03.09.02.a.01	[Assignment: organization-defined time period]
03.10.01	03.10.01.c	[Assignment: organization-defined frequency]
03.10.02	03.10.02.b	[Assignment: organization-defined frequency]
03.10.02	03.10.02.b	[Assignment: organization-defined events or potential indications of events]
03.10.06	03.10.06.b	[Assignment: organization-defined security requirements]
03.11.01	03.11.01.b	[Assignment: organization-defined frequency]
03.11.02	03.11.02.a	[Assignment: organization-defined frequency]
03.11.02	03.11.02.b	[Assignment: organization-defined response times]
03.11.02	03.11.02.c	[Assignment: organization-defined frequency]
03.12.01	03.12.01	[Assignment: organization-defined frequency]
03.12.05	03.12.05.a	[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; nondisclosure agreements; other types of agreements]
03.12.05	03.12.05.c	[Assignment: organization-defined frequency]
03.13.09	03.13.09	[Assignment: organization-defined time period]
03.13.10	03.13.10	[Assignment: organization-defined requirements for key establishment and management]
03.13.11	03.13.11	[Assignment: organization-defined types of cryptography]
03.13.12	03.13.12.a	[Assignment: organization-defined exceptions where remote activation is to be allowed]
03.14.01	03.14.01.b	[Assignment: organization-defined time period]
03.14.02	03.14.02.c.01	[Assignment: organization-defined frequency]
03.15.01	03.15.01.b	[Assignment: organization-defined frequency]
03.15.02	03.15.02.b	[Assignment: organization-defined frequency]
03.15.03	03.15.03.d	[Assignment: organization-defined frequency]
03.16.01	03.16.01	[Assignment: organization-defined systems security engineering principles]
03.16.03	03.16.03.a	[Assignment: organization-defined security requirements]
03.17.01	03.17.01.b	[Assignment: organization-defined frequency]
03.17.03	03.17.03.b	[Assignment: organization-defined security requirements]

Appendix E. Change Log

This publication incorporates the following changes from the original edition (February 2020; updated January 28, 2021):

Streamlined introductory information in Sec. 1 and Sec. 2 to improve clarity and understanding
Modified the security requirements and families in Sec. 3 to reflect the security controls in the SP 800-53B [12] moderate baseline and the tailoring actions in Appendix C
Eliminated the distinction between basic and derived security requirements
Increased the specificity of security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
Introduced organization-defined parameters (ODPs) in selected security requirements to increase flexibility and help organizations better manage risk
Grouped security requirements, where possible, to improve understanding and the efficiency of implementations and assessments
Removed outdated and redundant security requirements
Added new security requirements
Added titles to the security requirements
Restructured and streamlined the security requirement discussion sections
Added new tailoring categories: Other Related Controls (ORC) and Not Applicable (N/A)
Recategorized selected controls in the SP 800-53B moderate baseline using the tailoring criteria in Appendix C
Revised the security requirements for consistency with the security control language in SP 800-53
Revised the structure of the References, Acronyms, and Glossary sections for greater clarity and ease of use
Revised the tailoring tables in Appendix C to be consistent with the changes to the security requirements
Added new appendix listing organization-defined parameters for security requirements

Table 24 shows the changes incorporated into this publication. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature. Any potential updates to this document that are not yet published in an errata update or a formal revision, including additional issues and potential corrections, will be posted as they are identified. See the [publication details] for this report. The current release of this publication does not include any errata updates.

Table 24. Change Log

                    PUBLICATION ID
                    DATE
                    TYPE OF EDIT
                    CHANGE
                    LOCATION

NIST Special Publication 800 NIST SP 800-171r3

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Abstract