NIST 800-171 Controlled Unclassified Information (CUI) Controls   

NIST and NARA carried out specific tailoring actions to identify the controls that are needed to protect CUI. According to NIST 800-171, there were 3 criteria used to identify what security controls or control enhancements from NIST 800-53 rev4 moderate baseline specifically would be considered a "CUI control" for NIST 800-171. If the following criteria was not applicable, then the NIST 800-53 rev4 control or control enhancement became a CUI control:

  1. The control or control enhancement is uniquely federal (i.e., primarily the responsibility of the federal government);

  2. The control or control enhancement is not directly related to protecting the confidentiality of CUI;38 or

  3. The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification.

Interestingly, while there are 110 CUI controls listed in Appendix D of NIST 800-171, there are 125 unique CUI controls listed in Appendix E. The reduction of 15 controls appears to be through the mapping that reduced redundancies. These 125 unique CUI controls, as listed below:

Control #
NIST 800-53 CUI Control Name
PS-5
Personnel Transfer
RA-3
Risk Assessment
RA-5
Vulnerability Scanning
RA-5(5)
Vulnerability Scanning | Privileged Access
SA-8
Security Engineering Principles
SC-2
Application Partitioning
SC-4
Information in Shared Resources
SC-7
Boundary Protection
SC-7(5)
Boundary Protection | Deny by Default / Allow by Exception
SC-7(7)
Boundary Protection | Prevent Split Tunneling for Remote Devices
SC-8
Transmission Confidentiality and Integrity
SC-8(1)
Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection
SC-10
Network Disconnect
SC-12
Cryptographic Key Establishment and Management
SC-13
Cryptographic Protection
SC-15
Collaborative Computing Devices
SC-18
Mobile Code
SC-19
Voice over Internet Protocol
SC-23
Session Authenticity
SC-28
Protection of Information at Rest
SI-2
Flaw Remediation
SI-3
Malicious Code Protection
SI-4
Information System Monitoring
SI-4(4)
Information System Monitoring | Inbound and Outbound Communications Traffic
SI-5
Security Alerts, Advisories, and Directives
CM-4
Security Impact Analysis
CM-5
Access Restrictions for Change
CM-6
Configuration Settings
CM-7
Least Functionality
CM-7(1)
Least Functionality | Periodic Review
CM-7(2)
Least Functionality| Prevent Program Execution
CM-7(4)(5)
Least Functionality | Unauthorized or Authorized Software / Blacklisting or Whitelisting
CM-8
Information System Component Inventory
CM-8(1)
Information System Component Inventory | Updates During Installations / Removals
CM-11
User-Installed Software
CP-9
Information System Backup
IA-2
Identification and Authentication (Organizational Users)
IA-2(1)
Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts
IA-2(2)
Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts
IA-2(3)
Identification and Authentication (Organizational Users) | Local Access to Privileged Accounts
IA-2(8)
Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts - Replay Resistant
IA-2(9)
Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts - Replay Resistant
IA-3
Device Identification and Authentication
IA-4
Identifier Management
IA-5
Authenticator Management
IA-5(1)
Authenticator Management | Password-Based Authentication
IA-6
Authenticator Feedback
IR-2
Incident Response Training
IR-3
Incident Response Testing
IR-4
Incident Handling
IR-5
Incident Monitoring
IR-6
Incident Reporting
IR-7
Incident Response Assistance
MA-2
Controlled Maintenance
MA-3
Maintenance Tools
MA-3(1)
Maintenance Tools | Inspect Tools
MA-3(2)
Maintenance Tools | Inspect Media
MA-4
Nonlocal Maintenance
MA-5
Maintenance Personnel
MP-2
Media Access
MP-3
Media Marking
MP-4
Media Storage
MP-5
Media Transport
MP-5(4)
Media Transport | Cryptographic Protection
MP-6
Media Sanitization
MP-7
Media Use
MP-7(1)
Media Use | Prohibit Use Without Owner
PE-2
Physical Access Authorizations
PE-3
Physical Access Control
PE-4
Access Control for Transmission Medium
PE-5
Access Control for Output Devices
PE-6
Monitoring Physical Access
PE-17
Alternate Work Site
PS-3
Personnel Screening
PS-4
Personnel Termination
AC-2
Account Management
AC-3
Access Enforcement
AC-4
Information Flow Enforcement
AC-5
Separation of Duties
AC-6
Least Privilege
AC-6(1)
Least Privilege| Authorize Access to Security Functions
AC-6(2)
Least Privilege| Non-Privileged Access for Non-Security Functions
AC-6(5)
Least Privilege| Privileged Accounts
AC-6(9)
Least Privilege| Auditing Use of Privileged Functions
AC-6(10)
Least Privilege| Prohibit Non-Privileged Users from Executing Privileged Functions
AC-7
Unsuccessful Logon Attempts
AC-8
System Use Notification
AC-11
Session Lock
AC-11(1)
Session Lock | Pattern-Hiding Displays
AC-12
Session Termination
AC-17
Remote Access
AC-17(1)
Remote Access | Automated Monitoring / Control
AC-17(2)
Remote Access | Protection of Confidentiality / Integrity Using Encryption
AC-17(3)
Remote Access | Managed Access Control Points
AC-17(4)
Remote Access | Privileged Commands / Access
AC-18
Wireless Access
AC-18(1)
Wireless Access | Authentication and Encryption
AC-19
Access Control for Mobile Devices
AC-19(5)
Access Control for Mobile Devices | Full Device / Container-Based Encryption
AC-20
Use of External Information Systems
AC-20(1)
Use of External Information Systems | Limits on Authorized Use
AC-20(2)
Use of External Information Systems | Portable Storage Devices
AC-22
Publicly Accessible Content
AT-2
Security Awareness Training
AT-2(2)
Security Awareness Training| Insider Threat
AT-3
Role-Based Security Training
AU-2
Audit Events
AU-2(3)
Audit Events | Reviews and Updates
AU-3
Content of Audit Records
AU-3(1)
Content of Audit Records | Additional Audit Information
AU-5
Response to Audit Processing Failures
AU-6
Audit Review, Analysis, and Reporting
AU-6(3)
Audit Review, Analysis, and Reporting | Correlate Audit Repositories
AU-7
Audit Reduction and Report Generation
AU-8
Time Stamps
AU-8(1)
Time Stamps | Synchronization with Authoritative Time Source
AU-9
Protection of Audit Information
AU-9(4)
Protection of Audit Information | Access By Subset of Privileged Users
AU-11
Audit Record Retention
AU-12
Audit Generation
CA-2
Security Assessments
CA-5
Plan of Action and Milestones
CA-7
Continuous Monitoring
CM-2
Baseline Configuration
CM-3
Configuration Change Control