NIST SP 800-171 Rev 3 Rev 3

03.01 — Access Control (77 requirements)

03.02 — Awareness and Training (12 requirements)

03.02.01Literacy Training and Awareness

03.02.01.aLiteracy Training and Awareness a

03.02.01.a.01Literacy Training and Awareness a.01

03.02.01.a.02Literacy Training and Awareness a.02

03.02.01.a.03Literacy Training and Awareness a.03

03.02.01.bLiteracy Training and Awareness b

03.02.02Role-Based Training

03.02.02.aRole-Based Training a

03.02.02.a.01Role-Based Training a.01

03.02.02.a.02Role-Based Training a.02

03.02.02.bRole-Based Training b

03.02.03Literacy Training and Awareness (Incorporated)

03.03 — Audit and Accountability (32 requirements)

03.03.01Event Logging

03.03.01.aEvent Logging a

03.03.01.bEvent Logging b

03.03.02Audit Record Content

03.03.02.aAudit Record Content a

03.03.02.a.01Audit Record Content a.01

03.03.02.a.02Audit Record Content a.02

03.03.02.a.03Audit Record Content a.03

03.03.02.a.04Audit Record Content a.04

03.03.02.a.05Audit Record Content a.05

03.03.02.a.06Audit Record Content a.06

03.03.02.bAudit Record Content b

03.03.03Audit Record Generation

03.03.03.aAudit Record Generation a

03.03.03.bAudit Record Generation b

03.03.04Audit Logging Process Failure Response

03.03.04.aAudit Logging Process Failure Response a

03.03.04.bAudit Logging Process Failure Response b

03.03.05Audit Record Review, Analysis, and Reporting

03.03.05.aAudit Record Review, Analysis, and Reporting a

03.03.05.bAudit Record Review, Analysis, and Reporting b

03.03.05.cAudit Record Review, Analysis, and Reporting c

03.03.06Audit Record Reduction and Report Generation

03.03.06.aAudit Record Reduction and Report Generation a

03.03.06.bAudit Record Reduction and Report Generation b

03.03.07Time Stamps

03.03.07.aTime Stamps a

03.03.07.bTime Stamps b

03.03.08Audit Record Protection

03.03.08.aAudit Record Protection a

03.03.08.bAudit Record Protection b

03.03.09Audit Record Protection (Incorporated)

03.04 — Configuration Management (36 requirements)

03.04.01Baseline Configuration

03.04.01.aBaseline Configuration a

03.04.01.bBaseline Configuration b

03.04.02Configuration Settings

03.04.02.aConfiguration Settings a

03.04.02.bConfiguration Settings b

03.04.03Configuration Change Control

03.04.03.aConfiguration Change Control a

03.04.03.bConfiguration Change Control b

03.04.03.cConfiguration Change Control c

03.04.03.dConfiguration Change Control d

03.04.04Impact Analyses

03.04.04.aImpact Analyses a

03.04.04.bImpact Analyses b

03.04.05Access Restrictions for Change

03.04.06Least Functionality

03.04.06.aLeast Functionality a

03.04.06.bLeast Functionality b

03.04.06.cLeast Functionality c

03.04.06.dLeast Functionality d

03.04.07Nonessential Functionality

03.04.08Application Execution Policy

03.04.08.aApplication Execution Policy a

03.04.08.bApplication Execution Policy b

03.04.08.cApplication Execution Policy c

03.04.09User-Installed Software

03.04.10System Component Inventory

03.04.10.aSystem Component Inventory a

03.04.10.bSystem Component Inventory b

03.04.10.cSystem Component Inventory c

03.04.11Information Location

03.04.11.aInformation Location a

03.04.11.bInformation Location b

03.04.12System and Component Configuration for High-Risk Areas

03.04.12.aSystem and Component Configuration for High-Risk Areas a

03.04.12.bSystem and Component Configuration for High-Risk Areas b

03.05 — Identification and Authentication (30 requirements)

03.05.01Identification and Authentication (Users)

03.05.01.aIdentification and Authentication (Users) a

03.05.01.bIdentification and Authentication (Users) b

03.05.02Device Identification and Authentication

03.05.03Multi-Factor Authentication

03.05.04Replay-Resistant Authentication

03.05.05Identifier Management

03.05.05.aIdentifier Management a

03.05.05.bIdentifier Management b

03.05.05.cIdentifier Management c

03.05.05.dIdentifier Management d

03.05.06Password-Based Authentication

03.05.07Authenticator Management

03.05.07.aAuthenticator Management a

03.05.07.bAuthenticator Management b

03.05.07.cAuthenticator Management c

03.05.07.dAuthenticator Management d

03.05.07.eAuthenticator Management e

03.05.07.fAuthenticator Management f

03.05.08Authenticator Feedback

03.05.09Cryptographic Module Authentication

03.05.10Adaptive Authentication

03.05.11Credential Management

03.05.12PKI-Based Authentication

03.05.12.aPKI-Based Authentication a

03.05.12.bPKI-Based Authentication b

03.05.12.cPKI-Based Authentication c

03.05.12.dPKI-Based Authentication d

03.05.12.ePKI-Based Authentication e

03.05.12.fPKI-Based Authentication f

03.06 — Incident Response (24 requirements)

03.06.01Incident Handling

03.06.02Incident Monitoring, Reporting, and Response Assistance

03.06.02.aIncident Monitoring, Reporting, and Response Assistance a

03.06.02.bIncident Monitoring, Reporting, and Response Assistance b

03.06.02.cIncident Monitoring, Reporting, and Response Assistance c

03.06.02.dIncident Monitoring, Reporting, and Response Assistance d

03.06.03Incident Response Testing

03.06.04Incident Reporting

03.06.04.aIncident Reporting a

03.06.04.a.01Incident Reporting a.01

03.06.04.a.02Incident Reporting a.02

03.06.04.a.03Incident Reporting a.03

03.06.04.bIncident Reporting b

03.06.05Information Sharing

03.06.05.aInformation Sharing a

03.06.05.a.01Information Sharing a.01

03.06.05.a.02Information Sharing a.02

03.06.05.a.03Information Sharing a.03

03.06.05.a.04Information Sharing a.04

03.06.05.a.05Information Sharing a.05

03.06.05.a.06Information Sharing a.06

03.06.05.bInformation Sharing b

03.06.05.cInformation Sharing c

03.06.05.dInformation Sharing d

03.07 — Maintenance (16 requirements)

03.07.01System Maintenance

03.07.02Controlled Maintenance

03.07.03Maintenance Tools

03.07.04Nonlocal Maintenance

03.07.04.aNonlocal Maintenance a

03.07.04.bNonlocal Maintenance b

03.07.04.cNonlocal Maintenance c

03.07.05Maintenance Personnel

03.07.05.aMaintenance Personnel a

03.07.05.bMaintenance Personnel b

03.07.05.cMaintenance Personnel c

03.07.06Timely Maintenance

03.07.06.aTimely Maintenance a

03.07.06.bTimely Maintenance b

03.07.06.cTimely Maintenance c

03.07.06.dTimely Maintenance d

03.08 — Media Protection (16 requirements)

03.08.01Media Storage

03.08.02Media Access

03.08.03Media Sanitization

03.08.04Media Marking

03.08.05Media Transport

03.08.05.aMedia Transport a

03.08.05.bMedia Transport b

03.08.05.cMedia Transport c

03.08.06Media Use

03.08.07Media Downgrading

03.08.07.aMedia Downgrading a

03.08.07.bMedia Downgrading b

03.08.08CUI Backup Storage

03.08.09CUI on Mobile Devices

03.08.09.aCUI on Mobile Devices a

03.08.09.bCUI on Mobile Devices b

03.09 — Personnel Security (11 requirements)

03.09.01Personnel Screening

03.09.01.aPersonnel Screening a

03.09.01.bPersonnel Screening b

03.09.02Personnel Actions

03.09.02.aPersonnel Actions a

03.09.02.a.01Personnel Actions a.01

03.09.02.a.02Personnel Actions a.02

03.09.02.a.03Personnel Actions a.03

03.09.02.bPersonnel Actions b

03.09.02.b.01Personnel Actions b.01

03.09.02.b.02Personnel Actions b.02

03.10 — Physical Protection (23 requirements)

03.10.01Physical Access Authorizations

03.10.01.aPhysical Access Authorizations a

03.10.01.bPhysical Access Authorizations b

03.10.01.cPhysical Access Authorizations c

03.10.01.dPhysical Access Authorizations d

03.10.02Physical Access Control

03.10.02.aPhysical Access Control a

03.10.02.bPhysical Access Control b

03.10.03Visitor Access Records

03.10.04Physical Access Logging

03.10.05Manage Physical Access

03.10.06Alternative Work Sites

03.10.06.aAlternative Work Sites a

03.10.06.bAlternative Work Sites b

03.10.07Monitoring Physical Access

03.10.07.aMonitoring Physical Access a

03.10.07.a.01Monitoring Physical Access a.01

03.10.07.a.02Monitoring Physical Access a.02

03.10.07.bMonitoring Physical Access b

03.10.07.cMonitoring Physical Access c

03.10.07.dMonitoring Physical Access d

03.10.07.eMonitoring Physical Access e

03.10.08Physical Access to Transmission Lines

03.11 — Risk Assessment (9 requirements)

03.11.01Risk Assessment

03.11.01.aRisk Assessment a

03.11.01.bRisk Assessment b

03.11.02Vulnerability Monitoring and Scanning

03.11.02.aVulnerability Monitoring and Scanning a

03.11.02.bVulnerability Monitoring and Scanning b

03.11.02.cVulnerability Monitoring and Scanning c

03.11.03Risk Response

03.11.04Risk Response

03.12 — Security Assessment and Monitoring (15 requirements)

03.12.01Security Assessment

03.12.02Plan of Action and Milestones

03.12.02.aPlan of Action and Milestones a

03.12.02.a.01Plan of Action and Milestones a.01

03.12.02.a.02Plan of Action and Milestones a.02

03.12.02.bPlan of Action and Milestones b

03.12.02.b.01Plan of Action and Milestones b.01

03.12.02.b.02Plan of Action and Milestones b.02

03.12.02.b.03Plan of Action and Milestones b.03

03.12.03Continuous Monitoring

03.12.04System and Network Security Architecture

03.12.05Information Exchange

03.12.05.aInformation Exchange a

03.12.05.bInformation Exchange b

03.12.05.cInformation Exchange c

03.13 — System and Communications Protection (23 requirements)

03.14 — System and Information Integrity (22 requirements)

03.15 — Planning (20 requirements)

03.16 — System and Services Acquisition (8 requirements)

03.16.01Security Engineering Principles

03.16.02Unsupported System Components

03.16.02.aUnsupported System Components a

03.16.02.bUnsupported System Components b

03.16.03External System Services

03.16.03.aExternal System Services a

03.16.03.bExternal System Services b

03.16.03.cExternal System Services c

03.17 — Supply Chain Risk Management (8 requirements)

03.17.01Supply Chain Risk Management Plan

03.17.01.aSupply Chain Risk Management Plan a

03.17.01.bSupply Chain Risk Management Plan b

03.17.01.cSupply Chain Risk Management Plan c

03.17.02Acquisition Strategies, Tools, and Methods

03.17.03Supply Chain Requirements and Processes

03.17.03.aSupply Chain Requirements and Processes a

03.17.03.bSupply Chain Requirements and Processes b