NIST Special Publication 800 NIST SP 800-171r3

The Security Requirements

03.14.01: Flaw Remediation

Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security responsibilities…

03.14.02: Malicious Code Protection

Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code can be inserted into the system in a variety of ways, including email, the internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware…

03.14.03: Security Alerts, Advisories, and Directives

There are many publicly available sources of system security alerts and advisories. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) generate security alerts and advisories to maintain situational awareness across the Federal Government and in nonfederal organizations…

03.14.04: Withdrawn

Incorporated into 03.14.02.

03.14.05: Withdrawn

Incorporated into 03.14.02.

03.14.06: System Monitoring

System monitoring involves external and internal monitoring. Internal monitoring includes the observation of events that occur within the system. External monitoring includes the observation of events that occur at the system boundary…

03.14.07: Withdrawn

Incorporated into 03.14.06.

03.14.08: Information Management and Retention

Federal agencies consider data retention requirements for nonfederal organizations. Retaining CUI on nonfederal systems after contracts or agreements have concluded increases the attack surface for those systems and the risk of the information being compromised…