NIST Special Publication 800 NIST SP 800-171r3
The Security Requirements
03.13.01: Boundary Protection
Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs…
03.13.02: Withdrawn
Recategorized as NCO.
03.13.03: Withdrawn
Addressed by 03.01.01, 03.01.02, 03.01.03, 03.01.04, 03.01.05, 03.01.06, and 03.01.07.
03.13.04: Information in Shared System Resources
Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or actions of processes acting on behalf of prior users or roles)…
03.13.05: Withdrawn
Incorporated into 03.13.01.
03.13.06: Network Communications – Deny by Default – Allow by Exception
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system…
03.13.07: Withdrawn
Addressed by 03.01.12, 03.04.02 and 03.04.06.
03.13.08: Transmission and Storage Confidentiality
This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios…
03.13.09: Network Disconnect
This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating TCP/IP addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection…
03.13.10: Cryptographic Key Establishment and Management
Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures…
03.13.11: Cryptographic Protection
Cryptography is implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. FIPS-validated cryptography is recommended for the protection of CUI…
03.13.12: Collaborative Computing Devices and Applications
Collaborative computing devices include white boards, microphones, and cameras. Notebook computers, smartphones, display monitors, and tablets containing cameras and microphones are considered part of collaborative computing devices when conferencing software is in use…
03.13.13: Mobile Code
Mobile code includes software programs or parts of programs that are obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Decisions regarding the use of mobile code are based on the potential for the code to cause damage to the system if used maliciously…
03.13.14: Withdrawn
Technology-specific.
03.13.15: Session Authenticity
Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information…
03.13.16: Withdrawn
Incorporated into 03.13.08.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A