April 10, 2019

    NIST 800-171: Ensuring Compliance with Access Control Measures

    Are you complying with NIST (National Institute of Standards and Technology) SP 800-171? Because there are so many security controls you must have in place, it can be difficult to determine if you are in total compliance.

    Use the following assessment to determine if you are in alignment with these essential regulations. If you answer yes to each of the questions on this NIST 800-171 questionnaire, you have all the appropriate security measures in place. This NIST 800-171 questionnaire will help you determine if you have additional steps to take, as well.

    Access Control

    • Are authorized users the only ones who have access to your information systems?

    • Is system access limited to permitted activities and functions?

    • Are you controlling access to CUI (controlled unclassified information)?

    • Are your employees’ duties separated to prevent the risk of unauthorized or malevolent activities?

    • Do employees have the least amount of CUI access necessary to perform their jobs?

    • Do you have the capabilities to assign non-privileged accounts or roles?

    • Can you prevent non-privileged users from enacting privileged functions?

    • Do you limit unsuccessful login attempts?

    • Are you providing security notices in alignment with NIST’s CUI-related rules?

    • Do you lock sessions and prevent access after periods of inactivity?

    • Do you auto-terminate sessions after a designated period of time?

    • Do your information solutions enable you to monitor and control remote access sessions?

    • Do you encrypt data to protect it during remote sessions?

    • Is remote access routed through managed access control points?

    • Have you authorized remote access to CUI?

    • Do you verify remote access prior to approving user connections?

    • Is wireless access protected through data encryption and user authentication?

    • Can you control a mobile device connection?

    • Do you encrypt CUI on employees’ mobile devices?

    • Do you monitor and control the use of external information systems?

    • Do you have and enforce security policies related to portable storage devices?

    • Is information shared on public information systems protected?

    Awareness and Training

    • Are all authorized users trained and aware of the policies and procedures to mitigate security risks associated with CUI?

    • Are your employees trained on their individual CUI security-related responsibilities?

    • Do you regularly provide training on how employees can identify and report security breaches?

    Audit and Accountability

    • Do you have audit creation, protection, and storage capabilities in the event of a security breach?

    • Can you trace user actions to their source?

    • Are you reviewing audited events?

    • Are safeguards in place to notify you when the audit process fails?

    • Do you use automated audit functions, like review, analysis, and reporting?

    • Can you generate on-demand audit reports?

    • Are your audit records accurately time-stamped?

    • Do only authorized users have access to audits?

    • Do you have security controls in place to prevent unauthorized users from altering audit records?

    Configuration Management

    • Do you have established baseline configurations throughout the life cycles of your information systems?

    • Do you have an established security configuration for your information systems and are you enforcing it?

    • Are you able to track, review, approve, disapprove, and audit any changes made to your information systems?

    • Do you analyze the impact any changes will have on security prior to implementation?

    • Do you restrict access regarding who can alter your configurations?

    • Do you grant the least amount of configuration access necessary to maintain CUI security?

    • Can you prevent, restrict, or disable non-essential programs, ports, services, and more?

    • Do you monitor user-installed software?

    • Can you prevent the use of unauthorized software?

    • Do you control and monitor user-installed software?

    Identification and Authentication

    • Do you have mechanisms to identify users?

    • Do you authenticate users before granting access to your information systems?

    • Do you use multi-factor authentication measures to verify user identity?

    • Are replay-resistant authentication measures used to verify users?

    • Do you prevent users from reusing identifiers?

    • Are login credentials disabled after a period of inactivity?

    • Do you have password complexity and character requirements?

    • Do you prevent users from reusing passwords for a defined period of time?

    • Are temporary passwords provided when passwords are being changed?

    • Are passwords encrypted when stored or transferred?

    • Is your authentication information secure?

    Incident Response

    • Do you have processes regarding preparation, detection, containment, and recovery in place to handle data security incidents?

    • Are you documenting and reporting incidents to the appropriate authorities within and outside your organization?

    • Do you test your incident response processes for effectiveness?


    • Is regular maintenance performed on your information systems?

    • Do you have security controls in place to protect CUI during maintenance?

    • Do you sanitize CUI from equipment before it is moved off your premises for maintenance?

    • Are all media and devices tested for security threats before being exposed to CUI?

    • Are personnel performing maintenance required to use multi-factor authentication methods during their work and are those login credentials deleted when maintenance is complete?

    • Are you supervising all maintenance activities?

    Media Protection

    • Are you protecting all media containing digital and physical CUI?

    • Is media access limited to authorized users?

    • Do you sanitize media of all CUI before disposal or reuse?

    • Is all media containing CUI properly marked?

    • Are you monitoring media containing CUI when it is taken off secure premises?

    • Is CUI encrypted on your media devices?

    • Are access and use of mobile media controlled?

    • Is the use of portable storage devices limited to devices authorized by your organization?

    • Is CUI protected at storage locations?

    Personnel Security

    • Are all individuals with access to CUI properly screened?

    • Is CUI protected during personnel transfers and terminations?

    Physical Protection

    • Do you limit physical access to your information systems only to authorized users?

    • Are the physical locations of your information systems secure and monitored?

    • Is visitor activity at these locations monitored?

    • Do you keep a log of who has physical access to your information systems?

    • Are you managing physical access devices?

    • Is CUI protected at remote work sites?

    Risk Assessment

    • Are your business operations related to CUI, including handling, storage, and transfer, regularly assessed for risk?

    • Do you scan for vulnerabilities in your systems?

    • Are vulnerabilities quickly addressed when they are detected?

    Security Assessment

    • Are your security controls regularly assessed to ensure they are effective?

    • Do you have established processes to remedy security vulnerabilities when they arise?

    • Do you perform security assessments on an ongoing basis?

    System and Communication Protection

    • Are organizational communications monitored and protected?

    • Do you use architectural designs and development techniques that promote the secure use of information systems?

    • Is user functionality separate from system administration functionality?

    • Is file sharing monitored and protected?

    • Are public systems separate from secure CUI systems?

    • Do you monitor and grant/deny access to network communication traffic?

    • Do you monitor and control remote network access?

    • Is CUI encrypted during file transfers?

    • Are network connections automatically terminated after a period of inactivity?

    • Are cryptographic keys used to protect your information systems?

    • Is FIPS (Federal Information Processing Standards)-approved encryption used to protect CUI?

    • Is remote access to collaborative computing devices prohibited?

    • Is the mobile device use controlled and monitored?

    • Are Voice over Internet Protocol (VoIP) technologies controlled and monitored?

    • Are communication sessions authenticated and protected?

    • Is CUI protected when stored (at-rest)?

    System and Information Integrity

    • Are system vulnerabilities quickly detected, reported, and corrected?

    • Are your systems protected from a data breach in the form of malicious code?

    • Are security alerts monitored and acted upon quickly?

    • Do you regularly update security measures?

    • Is transmitted data scanned before being downloaded or opened?

    • Are inbound and outbound communications monitored?

    • Is authorized use of your information systems identified?

    If you answered no to any of the questions on this NIST 800-171 questionnaire, you need to take action to remedy these security vulnerabilities quickly. One of the best ways to align with NIST 800-171 is to adopt a secure file sharing solution, which will have many of these security measures built in. Now that you know more about the security measures prescribed by NIST 800-171, you’re equipped to meet these guidelines.

    Learn more about government guidelines you need to align within this DFARS checklist.

    Tag(s): Government

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts