NIST Special Publication 800 NIST SP 800-171r3

The Security Requirements

03.04.01: Baseline Configuration

Baseline configurations for the system and system components include aspects of connectivity, operation, and communications. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for the system or configuration items within the system…

03.04.02: Configuration Settings

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system and that affect the security posture or functionality of the system. Security-related configuration settings can be defined for systems…

03.04.03: Configuration Change Control

Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system…

03.04.04: Impact Analyses

Organizational personnel with security responsibilities conduct impact analyses that include reviewing system security plans, policies, and procedures to understand security requirements;…

03.04.05: Access Restrictions

Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system…

03.04.06: Least Functionality

Systems can provide a variety of functions and services. Some functions and services that are routinely provided by default may not be necessary to support essential organizational missions, functions, or operations…

03.04.07: Withdrawn

Incorporated into 03.04.06 and 03.04.08.

03.04.08: Authorized Software – Allow by Exception

If provided with the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation…

03.04.09: Withdrawn

Addressed by 03.01.05, 03.01.06, 03.01.07, 03.04.08, and 03.12.03.

03.04.10: System Component Inventory

System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems…

03.04.11: Information Location

Information location addresses the need to understand the specific system components where CUI is being processed and stored and the users who have access to CUI so…

03.04.12: System and Component Configuration for High-Risk Areas

Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies…