>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Home / Frameworks / NIST SP 800-171A

NIST SP 800-171A vRev 2

Official SCF Download

Assessing CUI Security Requirements

Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.

SCF Official Site License Terms
407 All

3.1 Access Control (92 requirements)

3.1.1Limit System Access Assessment
3.1.1[a]Limit System Access Assessment [a]
3.1.1[b]Limit System Access Assessment [b]
3.1.1[c]Limit System Access Assessment [c]
3.1.1[d]Limit System Access Assessment [d]
3.1.1[e]Limit System Access Assessment [e]
3.1.1[f]Limit System Access Assessment [f]
3.1.2Limit Transaction and Function Access Assessment
3.1.2[a]Limit Transaction and Function Access Assessment [a]
3.1.2[b]Limit Transaction and Function Access Assessment [b]
3.1.3Control CUI Flow Assessment
3.1.3[a]Control CUI Flow Assessment [a]
3.1.3[b]Control CUI Flow Assessment [b]
3.1.3[c]Control CUI Flow Assessment [c]
3.1.3[d]Control CUI Flow Assessment [d]
3.1.3[e]Control CUI Flow Assessment [e]
3.1.4Separation of Duties Assessment
3.1.4[a]Separation of Duties Assessment [a]
3.1.4[b]Separation of Duties Assessment [b]
3.1.4[c]Separation of Duties Assessment [c]
3.1.5Least Privilege Assessment
3.1.5[a]Least Privilege Assessment [a]
3.1.5[b]Least Privilege Assessment [b]
3.1.5[c]Least Privilege Assessment [c]
3.1.5[d]Least Privilege Assessment [d]
3.1.6Use Non-Privileged Accounts Assessment
3.1.6[a]Use Non-Privileged Accounts Assessment [a]
3.1.6[b]Use Non-Privileged Accounts Assessment [b]
3.1.7Prevent Non-Privileged Users from Executing Privileged Functions Assessment
3.1.7[a]Prevent Non-Privileged Users from Executing Privileged Functions Assessment [a]
3.1.7[b]Prevent Non-Privileged Users from Executing Privileged Functions Assessment [b]
3.1.7[c]Prevent Non-Privileged Users from Executing Privileged Functions Assessment [c]
3.1.7[d]Prevent Non-Privileged Users from Executing Privileged Functions Assessment [d]
3.1.8Limit Unsuccessful Logon Attempts Assessment
3.1.8[a]Limit Unsuccessful Logon Attempts Assessment [a]
3.1.8[b]Limit Unsuccessful Logon Attempts Assessment [b]
3.1.9Privacy and Security Notices Assessment
3.1.9[a]Privacy and Security Notices Assessment [a]
3.1.9[b]Privacy and Security Notices Assessment [b]
3.1.10Session Lock Assessment
3.1.10[a]Session Lock Assessment [a]
3.1.10[b]Session Lock Assessment [b]
3.1.10[c]Session Lock Assessment [c]
3.1.11Session Termination Assessment
3.1.11[a]Session Termination Assessment [a]
3.1.11[b]Session Termination Assessment [b]
3.1.12Control Remote Access Assessment
3.1.12[a]Control Remote Access Assessment [a]
3.1.12[b]Control Remote Access Assessment [b]
3.1.12[c]Control Remote Access Assessment [c]
3.1.12[d]Control Remote Access Assessment [d]
3.1.13Route Remote Access via Managed Access Control Points Assessment
3.1.13[a]Route Remote Access via Managed Access Control Points Assessment [a]
3.1.13[b]Route Remote Access via Managed Access Control Points Assessment [b]
3.1.14Limit Remote Access via Managed Access Control Points Assessment
3.1.14[a]Limit Remote Access via Managed Access Control Points Assessment [a]
3.1.14[b]Limit Remote Access via Managed Access Control Points Assessment [b]
3.1.15Authorize Remote Execution Assessment
3.1.15[a]Authorize Remote Execution Assessment [a]
3.1.15[b]Authorize Remote Execution Assessment [b]
3.1.15[c]Authorize Remote Execution Assessment [c]
3.1.15[d]Authorize Remote Execution Assessment [d]
3.1.16Authorize Wireless Access Assessment
3.1.16[a]Authorize Wireless Access Assessment [a]
3.1.16[b]Authorize Wireless Access Assessment [b]
3.1.17Protect Wireless Access Assessment
3.1.17[a]Protect Wireless Access Assessment [a]
3.1.17[b]Protect Wireless Access Assessment [b]
3.1.18Control Connection of Mobile Devices Assessment
3.1.18[a]Control Connection of Mobile Devices Assessment [a]
3.1.18[b]Control Connection of Mobile Devices Assessment [b]
3.1.18[c]Control Connection of Mobile Devices Assessment [c]
3.1.19Encrypt CUI on Mobile Devices Assessment
3.1.19[a]Encrypt CUI on Mobile Devices Assessment [a]
3.1.19[b]Encrypt CUI on Mobile Devices Assessment [b]
3.1.20Verify External Connections Assessment
3.1.20[a]Verify External Connections Assessment [a]
3.1.20[b]Verify External Connections Assessment [b]
3.1.20[c]Verify External Connections Assessment [c]
3.1.20[d]Verify External Connections Assessment [d]
3.1.20[e]Verify External Connections Assessment [e]
3.1.20[f]Verify External Connections Assessment [f]
3.1.21Limit Use of Portable Storage Devices Assessment
3.1.21[a]Limit Use of Portable Storage Devices Assessment [a]
3.1.21[b]Limit Use of Portable Storage Devices Assessment [b]
3.1.21[c]Limit Use of Portable Storage Devices Assessment [c]
3.1.22Control Publicly Accessible Content Assessment
3.1.22[a]Control Publicly Accessible Content Assessment [a]
3.1.22[b]Control Publicly Accessible Content Assessment [b]
3.1.22[c]Control Publicly Accessible Content Assessment [c]
3.1.22[d]Control Publicly Accessible Content Assessment [d]
3.1.22[e]Control Publicly Accessible Content Assessment [e]

3.3 Audit and Accountability (38 requirements)

3.3.1System Auditing Assessment
3.3.1[a]System Auditing Assessment [a]
3.3.1[b]System Auditing Assessment [b]
3.3.1[c]System Auditing Assessment [c]
3.3.1[d]System Auditing Assessment [d]
3.3.1[e]System Auditing Assessment [e]
3.3.1[f]System Auditing Assessment [f]
3.3.2User Accountability Assessment
3.3.2[a]User Accountability Assessment [a]
3.3.2[b]User Accountability Assessment [b]
3.3.3Event Review Assessment
3.3.3[a]Event Review Assessment [a]
3.3.3[b]Event Review Assessment [b]
3.3.3[c]Event Review Assessment [c]
3.3.4Audit Failure Alerting Assessment
3.3.4[a]Audit Failure Alerting Assessment [a]
3.3.4[b]Audit Failure Alerting Assessment [b]
3.3.4[c]Audit Failure Alerting Assessment [c]
3.3.5Audit Correlation Assessment
3.3.5[a]Audit Correlation Assessment [a]
3.3.5[b]Audit Correlation Assessment [b]
3.3.6Audit Reduction and Reporting Assessment
3.3.6[a]Audit Reduction and Reporting Assessment [a]
3.3.6[b]Audit Reduction and Reporting Assessment [b]
3.3.7Authoritative Time Source Assessment
3.3.7[a]Authoritative Time Source Assessment [a]
3.3.7[b]Authoritative Time Source Assessment [b]
3.3.7[c]Authoritative Time Source Assessment [c]
3.3.8Audit Record Protection Assessment
3.3.8[a]Audit Record Protection Assessment [a]
3.3.8[b]Audit Record Protection Assessment [b]
3.3.8[c]Audit Record Protection Assessment [c]
3.3.8[d]Audit Record Protection Assessment [d]
3.3.8[e]Audit Record Protection Assessment [e]
3.3.8[f]Audit Record Protection Assessment [f]
3.3.9Audit Management Assessment
3.3.9[a]Audit Management Assessment [a]
3.3.9[b]Audit Management Assessment [b]

3.4 Configuration Management (52 requirements)

3.4.1Baseline Configurations Assessment
3.4.1[a]Baseline Configurations Assessment [a]
3.4.1[b]Baseline Configurations Assessment [b]
3.4.1[c]Baseline Configurations Assessment [c]
3.4.1[d]Baseline Configurations Assessment [d]
3.4.1[e]Baseline Configurations Assessment [e]
3.4.1[f]Baseline Configurations Assessment [f]
3.4.2Security Configuration Settings Assessment
3.4.2[a]Security Configuration Settings Assessment [a]
3.4.2[b]Security Configuration Settings Assessment [b]
3.4.3System Change Management Assessment
3.4.3[a]System Change Management Assessment [a]
3.4.3[b]System Change Management Assessment [b]
3.4.3[c]System Change Management Assessment [c]
3.4.3[d]System Change Management Assessment [d]
3.4.4Security Impact Analysis Assessment
3.4.5Access Restrictions for Change Assessment
3.4.5[a]Access Restrictions for Change Assessment [a]
3.4.5[b]Access Restrictions for Change Assessment [b]
3.4.5[c]Access Restrictions for Change Assessment [c]
3.4.5[d]Access Restrictions for Change Assessment [d]
3.4.5[e]Access Restrictions for Change Assessment [e]
3.4.5[f]Access Restrictions for Change Assessment [f]
3.4.5[g]Access Restrictions for Change Assessment [g]
3.4.5[h]Access Restrictions for Change Assessment [h]
3.4.6Least Functionality Assessment
3.4.6[a]Least Functionality Assessment [a]
3.4.6[b]Least Functionality Assessment [b]
3.4.7Nonessential Functionality Assessment
3.4.7[a]Nonessential Functionality Assessment [a]
3.4.7[b]Nonessential Functionality Assessment [b]
3.4.7[c]Nonessential Functionality Assessment [c]
3.4.7[d]Nonessential Functionality Assessment [d]
3.4.7[e]Nonessential Functionality Assessment [e]
3.4.7[f]Nonessential Functionality Assessment [f]
3.4.7[g]Nonessential Functionality Assessment [g]
3.4.7[h]Nonessential Functionality Assessment [h]
3.4.7[i]Nonessential Functionality Assessment [i]
3.4.7[j]Nonessential Functionality Assessment [j]
3.4.7[k]Nonessential Functionality Assessment [k]
3.4.7[l]Nonessential Functionality Assessment [l]
3.4.7[m]Nonessential Functionality Assessment [m]
3.4.7[n]Nonessential Functionality Assessment [n]
3.4.7[o]Nonessential Functionality Assessment [o]
3.4.8Application Execution Policy Assessment
3.4.8[a]Application Execution Policy Assessment [a]
3.4.8[b]Application Execution Policy Assessment [b]
3.4.8[c]Application Execution Policy Assessment [c]
3.4.9User-Installed Software Assessment
3.4.9[a]User-Installed Software Assessment [a]
3.4.9[b]User-Installed Software Assessment [b]
3.4.9[c]User-Installed Software Assessment [c]

3.5 Identification and Authentication (33 requirements)

3.5.1Identify System Users Assessment
3.5.1[a]Identify System Users Assessment [a]
3.5.1[b]Identify System Users Assessment [b]
3.5.1[c]Identify System Users Assessment [c]
3.5.2Authenticate Users, Processes, and Devices Assessment
3.5.2[a]Authenticate Users, Processes, and Devices Assessment [a]
3.5.2[b]Authenticate Users, Processes, and Devices Assessment [b]
3.5.2[c]Authenticate Users, Processes, and Devices Assessment [c]
3.5.3Multifactor Authentication Assessment
3.5.3[a]Multifactor Authentication Assessment [a]
3.5.3[b]Multifactor Authentication Assessment [b]
3.5.3[c]Multifactor Authentication Assessment [c]
3.5.3[d]Multifactor Authentication Assessment [d]
3.5.4Replay-Resistant Authentication Assessment
3.5.5Identifier Reuse Assessment
3.5.5[a]Identifier Reuse Assessment [a]
3.5.5[b]Identifier Reuse Assessment [b]
3.5.6Identifier Handling Assessment
3.5.6[a]Identifier Handling Assessment [a]
3.5.6[b]Identifier Handling Assessment [b]
3.5.7Password Complexity Assessment
3.5.7[a]Password Complexity Assessment [a]
3.5.7[b]Password Complexity Assessment [b]
3.5.7[c]Password Complexity Assessment [c]
3.5.7[d]Password Complexity Assessment [d]
3.5.8Password Reuse Assessment
3.5.8[a]Password Reuse Assessment [a]
3.5.8[b]Password Reuse Assessment [b]
3.5.9Temporary Passwords Assessment
3.5.10Cryptographic Key Protection Assessment
3.5.10[a]Cryptographic Key Protection Assessment [a]
3.5.10[b]Cryptographic Key Protection Assessment [b]
3.5.11Obscure Authentication Feedback Assessment

3.13 System and Communications Protection (52 requirements)

3.13.1Boundary Protection Assessment
3.13.1[a]Boundary Protection Assessment [a]
3.13.1[b]Boundary Protection Assessment [b]
3.13.1[c]Boundary Protection Assessment [c]
3.13.1[d]Boundary Protection Assessment [d]
3.13.1[e]Boundary Protection Assessment [e]
3.13.1[f]Boundary Protection Assessment [f]
3.13.1[g]Boundary Protection Assessment [g]
3.13.1[h]Boundary Protection Assessment [h]
3.13.2Architectural Design Assessment
3.13.2[a]Architectural Design Assessment [a]
3.13.2[b]Architectural Design Assessment [b]
3.13.2[c]Architectural Design Assessment [c]
3.13.2[d]Architectural Design Assessment [d]
3.13.2[e]Architectural Design Assessment [e]
3.13.2[f]Architectural Design Assessment [f]
3.13.3Role Separation Assessment
3.13.3[a]Role Separation Assessment [a]
3.13.3[b]Role Separation Assessment [b]
3.13.3[c]Role Separation Assessment [c]
3.13.4Shared Resource Control Assessment
3.13.5Public Access System Protection Assessment
3.13.5[a]Public Access System Protection Assessment [a]
3.13.5[b]Public Access System Protection Assessment [b]
3.13.6Network Communication by Exception Assessment
3.13.6[a]Network Communication by Exception Assessment [a]
3.13.6[b]Network Communication by Exception Assessment [b]
3.13.7Split Tunneling Assessment
3.13.8Cryptographic Mechanisms for CUI Assessment
3.13.8[a]Cryptographic Mechanisms for CUI Assessment [a]
3.13.8[b]Cryptographic Mechanisms for CUI Assessment [b]
3.13.8[c]Cryptographic Mechanisms for CUI Assessment [c]
3.13.9Network Connections Termination Assessment
3.13.9[a]Network Connections Termination Assessment [a]
3.13.9[b]Network Connections Termination Assessment [b]
3.13.9[c]Network Connections Termination Assessment [c]
3.13.10Cryptographic Key Management Assessment
3.13.10[a]Cryptographic Key Management Assessment [a]
3.13.10[b]Cryptographic Key Management Assessment [b]
3.13.11CUI Encryption Assessment
3.13.12Collaborative Computing Device Control Assessment
3.13.12[a]Collaborative Computing Device Control Assessment [a]
3.13.12[b]Collaborative Computing Device Control Assessment [b]
3.13.12[c]Collaborative Computing Device Control Assessment [c]
3.13.13Mobile Code Control Assessment
3.13.13[a]Mobile Code Control Assessment [a]
3.13.13[b]Mobile Code Control Assessment [b]
3.13.14Voice over Internet Protocol Assessment
3.13.14[a]Voice over Internet Protocol Assessment [a]
3.13.14[b]Voice over Internet Protocol Assessment [b]
3.13.15Communications Authenticity Assessment
3.13.16Data at Rest Protection Assessment