IT KORR Knowledge Center
NIST SP 800-171 Control Family Checklist
A checklist of representative implementation items organized by NIST SP 800-171 control family, for organizations protecting CUI.
Access Control & Identification and Authentication
- Limit system access to authorized users, processes, and devices, and to the types of transactions those users are permitted to execute.
- Enforce the principle of least privilege, including for specific security functions and privileged accounts.
- Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- Uniquely identify and authenticate every user before allowing access to organizational systems — no shared or generic accounts.
Audit & Accountability and Configuration Management
- Create and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity.
- Ensure the actions of individual system users can be uniquely traced, to hold them accountable for their actions.
- Establish and maintain baseline configurations and inventories of organizational systems throughout their lifecycle.
- Establish and enforce security configuration settings, and track, review, and approve changes to those settings.
Incident Response, Media Protection, and Risk Assessment
- Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and reporting.
- Track, document, and report incidents to designated officials and/or authorities, both internal and external, as required.
- Protect (physically control and securely store) media containing CUI, both paper and digital.
- Sanitize or destroy media containing CUI before disposal, release, or reuse.
- Periodically assess the risk to organizational operations from the operation of systems processing CUI, and remediate vulnerabilities in accordance with risk assessments.
System & Communications Protection
- Monitor, control, and protect organizational communications at external boundaries and key internal boundaries.
- Employ architectural designs and software engineering techniques that promote effective information security within systems (e.g., network segmentation).
- Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless otherwise protected by alternative physical safeguards.
- Terminate network connections associated with communication sessions at the end of the session or after a defined period of inactivity.
Related Resources
- NIST SP 800-171 Explained — /knowledge-center/compliance/compliance-governance/nist-sp-800-171-explained
- CMMC 2.0 Overview — /knowledge-center/compliance/compliance-governance/cmmc-20-overview