NIST Special Publication 800 NIST SP 800-171r3

The Security Requirements

03.11.01: Risk Assessment

Establishing the system boundary is a prerequisite to assessing the risk of the unauthorized disclosure of CUI. Risk assessments consider threats, vulnerabilities, likelihood, and adverse impacts to organizational operations and assets based on the operation and use of the system and the unauthorized disclosure of CUI…

03.11.02: Vulnerability Monitoring and Scanning

Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis…

03.11.03: Withdrawn

Incorporated into 03.11.02.

03.11.04: Risk Response

This requirement addresses the need to determine an appropriate response to risk before generating a plan of action and milestones (POAM) entry.

The Security Requirements

NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)

3.1. Access Control

3.2. Awareness and Training

3.3. Audit and Accountability

3.4. Configuration Management

3.5. Identification and Authentication

3.6. Incident Response

3.7. Maintenance

3.8. Media Protection

3.9. Personnel Security

3.10. Physical Protection

3.11. Risk Assessment

3.12. Security Assessment and Monitoring

3.13. System and Communications Protection

3.14. System and Information Integrity

3.15. Planning

3.16. System and Services Acquisition

3.17. Supply Chain Risk Management

CMMC 3.0 - N/A
CPCSC - N/A