NIST Special Publication 800 NIST SP 800-171r3

The Security Requirements

03.01.01: Account Management

This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g., privileged access, non-privileged access) are addressed in 03.01.02…

03.01.02: Access Enforcement

Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems…

03.01.03: Information Flow

Information flow control regulates where CUI can transit within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information…

03.01.04: Separation of Duties

Separation of duties addresses the potential for abuse of authorized privileges and reduces the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and support functions among different individuals or roles…

03.01.05: Least Privilege

Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system…

03.01.06: Least Privilege – Privileged Accounts

Privileged accounts refer to accounts that are granted elevated privileges to access resources (including security functions or security-relevant information) that are otherwise restricted for non-privileged accounts…

03.01.07: Least Privilege – Privileged Functions

Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, changing system configuration settings, or administering cryptographic key management activities.

03.01.08: Unsuccessful Logon Attempts

Due to the potential for denial of service, automatic system lockouts are in most cases, temporary and automatically release after a predetermined time period established by the organization (i.e., using a delay algorithm)…

03.01.09: System Use Notification

System use notifications can be implemented using messages or warning banners. The messages or warning banners are displayed before individuals log in to a system that processes, stores, or transmits CUI…

03.01.10: Device Lock

Device locks are temporary actions taken to prevent access to the system when users depart from the immediate vicinity of the system but do not want to log out due to the temporary nature of their absences…

03.01.11: Session Termination

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in 03.13.09…

03.01.12: Remote Access

Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies…

03.01.13: Withdrawn

Addressed by 03.13.08.

03.01.14: Withdrawn

Incorporated into 03.01.12.

03.01.15: Withdrawn

Incorporated into 03.01.12.

03.01.16: Wireless Access

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions…

03.01.17: Withdrawn

Incorporated into 03.01.16.

03.01.18: Access Control for Mobile Devices

A mobile device is a computing device with a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a selfcontained power source…

03.01.19: Withdrawn

Incorporated into 03.01.18.

03.01.20: Use of External Systems

External systems are systems that are used by but are not part of the organization. These systems include personally owned systems, system components, or devices; privately owned computing and communication devices in commercial or public facilities…

03.01.21: Withdrawn

Incorporated into 03.01.20.

03.01.22: Publicly Accessible Content

In accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including CUI.