NIST 800-171 Controlled Unclassified Information (CUI) Controls
NIST and NARA carried out specific tailoring actions to identify the controls that are needed to protect CUI. According to NIST 800-171, there were 3 criteria used to identify what security controls or control enhancements from NIST 800-53 rev4 moderate baseline specifically would be considered a "CUI control" for NIST 800-171. If the following criteria was not applicable, then the NIST 800-53 rev4 control or control enhancement became a CUI control:
-
The control or control enhancement is uniquely federal (i.e., primarily the responsibility of the federal government);
-
The control or control enhancement is not directly related to protecting the confidentiality of CUI;38 or
-
The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification.
Interestingly, while there are 110 CUI controls listed in Appendix D of NIST 800-171, there are 125 unique CUI controls listed in Appendix E. The reduction of 15 controls appears to be through the mapping that reduced redundancies. These 125 unique CUI controls, as listed below:
Control # | NIST 800-53 CUI Control Name |
|---|---|
PS-5 | Personnel Transfer |
RA-3 | Risk Assessment |
RA-5 | Vulnerability Scanning |
RA-5(5) | Vulnerability Scanning | Privileged Access |
SA-8 | Security Engineering Principles |
SC-2 | Application Partitioning |
SC-4 | Information in Shared Resources |
SC-7 | Boundary Protection |
SC-7(5) | Boundary Protection | Deny by Default / Allow by Exception |
SC-7(7) | Boundary Protection | Prevent Split Tunneling for Remote Devices |
SC-8 | Transmission Confidentiality and Integrity |
SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection |
SC-10 | Network Disconnect |
SC-12 | Cryptographic Key Establishment and Management |
SC-13 | Cryptographic Protection |
SC-15 | Collaborative Computing Devices |
SC-18 | Mobile Code |
SC-19 | Voice over Internet Protocol |
SC-23 | Session Authenticity |
SC-28 | Protection of Information at Rest |
SI-2 | Flaw Remediation |
SI-3 | Malicious Code Protection |
SI-4 | Information System Monitoring |
SI-4(4) | Information System Monitoring | Inbound and Outbound Communications Traffic |
SI-5 | Security Alerts, Advisories, and Directives |
CM-4 | Security Impact Analysis |
CM-5 | Access Restrictions for Change |
CM-6 | Configuration Settings |
CM-7 | Least Functionality |
CM-7(1) | Least Functionality | Periodic Review |
CM-7(2) | Least Functionality| Prevent Program Execution |
CM-7(4)(5) | Least Functionality | Unauthorized or Authorized Software / Blacklisting or Whitelisting |
CM-8 | Information System Component Inventory |
CM-8(1) | Information System Component Inventory | Updates During Installations / Removals |
CM-11 | User-Installed Software |
CP-9 | Information System Backup |
IA-2 | Identification and Authentication (Organizational Users) |
IA-2(1) | Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts |
IA-2(2) | Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts |
IA-2(3) | Identification and Authentication (Organizational Users) | Local Access to Privileged Accounts |
IA-2(8) | Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts - Replay Resistant |
IA-2(9) | Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts - Replay Resistant |
IA-3 | Device Identification and Authentication |
IA-4 | Identifier Management |
IA-5 | Authenticator Management |
IA-5(1) | Authenticator Management | Password-Based Authentication |
IA-6 | Authenticator Feedback |
IR-2 | Incident Response Training |
IR-3 | Incident Response Testing |
IR-4 | Incident Handling |
IR-5 | Incident Monitoring |
IR-6 | Incident Reporting |
IR-7 | Incident Response Assistance |
MA-2 | Controlled Maintenance |
MA-3 | Maintenance Tools |
MA-3(1) | Maintenance Tools | Inspect Tools |
MA-3(2) | Maintenance Tools | Inspect Media |
MA-4 | Nonlocal Maintenance |
MA-5 | Maintenance Personnel |
MP-2 | Media Access |
MP-3 | Media Marking |
MP-4 | Media Storage |
MP-5 | Media Transport |
MP-5(4) | Media Transport | Cryptographic Protection |
MP-6 | Media Sanitization |
MP-7 | Media Use |
MP-7(1) | Media Use | Prohibit Use Without Owner |
PE-2 | Physical Access Authorizations |
PE-3 | Physical Access Control |
PE-4 | Access Control for Transmission Medium |
PE-5 | Access Control for Output Devices |
PE-6 | Monitoring Physical Access |
PE-17 | Alternate Work Site |
PS-3 | Personnel Screening |
PS-4 | Personnel Termination |
AC-2 | Account Management |
AC-3 | Access Enforcement |
AC-4 | Information Flow Enforcement |
AC-5 | Separation of Duties |
AC-6 | Least Privilege |
AC-6(1) | Least Privilege| Authorize Access to Security Functions |
AC-6(2) | Least Privilege| Non-Privileged Access for Non-Security Functions |
AC-6(5) | Least Privilege| Privileged Accounts |
AC-6(9) | Least Privilege| Auditing Use of Privileged Functions |
AC-6(10) | Least Privilege| Prohibit Non-Privileged Users from Executing Privileged Functions |
AC-7 | Unsuccessful Logon Attempts |
AC-8 | System Use Notification |
AC-11 | Session Lock |
AC-11(1) | Session Lock | Pattern-Hiding Displays |
AC-12 | Session Termination |
AC-17 | Remote Access |
AC-17(1) | Remote Access | Automated Monitoring / Control |
AC-17(2) | Remote Access | Protection of Confidentiality / Integrity Using Encryption |
AC-17(3) | Remote Access | Managed Access Control Points |
AC-17(4) | Remote Access | Privileged Commands / Access |
AC-18 | Wireless Access |
AC-18(1) | Wireless Access | Authentication and Encryption |
AC-19 | Access Control for Mobile Devices |
AC-19(5) | Access Control for Mobile Devices | Full Device / Container-Based Encryption |
AC-20 | Use of External Information Systems |
AC-20(1) | Use of External Information Systems | Limits on Authorized Use |
AC-20(2) | Use of External Information Systems | Portable Storage Devices |
AC-22 | Publicly Accessible Content |
AT-2 | Security Awareness Training |
AT-2(2) | Security Awareness Training| Insider Threat |
AT-3 | Role-Based Security Training |
AU-2 | Audit Events |
AU-2(3) | Audit Events | Reviews and Updates |
AU-3 | Content of Audit Records |
AU-3(1) | Content of Audit Records | Additional Audit Information |
AU-5 | Response to Audit Processing Failures |
AU-6 | Audit Review, Analysis, and Reporting |
AU-6(3) | Audit Review, Analysis, and Reporting | Correlate Audit Repositories |
AU-7 | Audit Reduction and Report Generation |
AU-8 | Time Stamps |
AU-8(1) | Time Stamps | Synchronization with Authoritative Time Source |
AU-9 | Protection of Audit Information |
AU-9(4) | Protection of Audit Information | Access By Subset of Privileged Users |
AU-11 | Audit Record Retention |
AU-12 | Audit Generation |
CA-2 | Security Assessments |
CA-5 | Plan of Action and Milestones |
CA-7 | Continuous Monitoring |
CM-2 | Baseline Configuration |
CM-3 | Configuration Change Control |