NIST SP 800-171 Rev 3

United States

34 domains

194 controls

NIST SP 800-171 Rev 3 (May 2024). Restructured requirements for CUI protection. Note CMMC 2.0 still references Rev 2.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (34)

03.01 AC (Access Control)

16 controls

Controls in the 03.01 AC (Access Control) domain of NIST SP 800-171 Rev 3 — 16 controls
Code	Title	Description
03.01.01	Account Management	Define, establish, modify, disable, and remove account types; assign managers; specify membership conditions; authorize...
03.01.02	Access Enforcement	Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access cont...
03.01.03	Information Flow Enforcement	Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems.
03.01.04	Separation of Duties	Identify duties that require separation; define system access authorizations to support separation of duties.
03.01.05	Least Privilege	Allow only authorized access necessary to accomplish assigned tasks; review privileges periodically; reassign or remove...
03.01.06	Least Privilege - Privileged Accounts	Restrict privileged accounts to designated personnel; require non-privileged accounts for non-security functions.
03.01.07	Least Privilege - Privileged Functions	Prevent non-privileged users from executing privileged functions; log execution of privileged functions.
03.01.08	Unsuccessful Logon Attempts	Enforce a limit of consecutive invalid logon attempts and lock the account/node for a defined period.
03.01.09	System Use Notification	Display a system use notification/banner before granting access, per organization-defined conditions.
03.01.10	Device Lock	Prevent further access by initiating device lock after defined inactivity or upon user request; require re-authenticatio...
03.01.11	Session Termination	Terminate user sessions automatically after defined conditions or trigger events.
03.01.12	Remote Access	Establish usage restrictions, configuration requirements, and authorize remote access; route remote access via managed a...
03.01.16	Wireless Access	Establish usage restrictions, configuration requirements, and authorize wireless access; protect with authentication and...
03.01.18	Access Control for Mobile Devices	Establish configuration requirements, connection requirements, and implementation guidance for mobile devices; encrypt C...
03.01.20	Use of External Systems	Establish terms and conditions for use of external systems; restrict use of organizationally controlled storage devices...
03.01.22	Publicly Accessible Content	Designate individuals authorized to make information publicly accessible; train them; review content for CUI prior to po...

03.02 AT (Awareness and Training)

2 controls

Controls in the 03.02 AT (Awareness and Training) domain of NIST SP 800-171 Rev 3 — 2 controls
Code	Title	Description
03.02.01	Literacy Training and Awareness	Provide security literacy training to system users initially, annually, and after defined events; include insider threat...
03.02.02	Role-Based Training	Provide role-based security training to personnel with assigned security roles before authorizing access, when required...

03.03 AU (Audit and Accountability)

8 controls

Controls in the 03.03 AU (Audit and Accountability) domain of NIST SP 800-171 Rev 3 — 8 controls
Code	Title	Description
03.03.01	Event Logging	Specify event types to be logged; coordinate logging across system components; review event types periodically.
03.03.02	Audit Record Content	Ensure audit records contain information needed to determine what occurred, when, where, source, outcome, and identity o...
03.03.03	Audit Record Generation	Generate audit records for selected event types; retain in accordance with retention requirements.
03.03.04	Response to Audit Logging Process Failures	Alert defined personnel on audit logging process failures; take defined actions when failures occur.
03.03.05	Audit Record Review, Analysis, and Reporting	Review and analyze audit records at defined frequency for indicators of inappropriate or unusual activity; report findin...
03.03.06	Audit Record Reduction and Report Generation	Provide audit record reduction and report generation capability supporting on-demand review, analysis, reporting, and af...
03.03.07	Time Stamps	Use internal system clocks to generate time stamps for audit records; synchronize to authoritative time source.
03.03.08	Protection of Audit Information	Protect audit information and audit logging tools from unauthorized access, modification, and deletion; authorize access...

03.04 CM (Configuration Management)

10 controls

Controls in the 03.04 CM (Configuration Management) domain of NIST SP 800-171 Rev 3 — 10 controls
Code	Title	Description
03.04.01	Baseline Configuration	Develop, document, and maintain current baseline configurations for the system; review and update baselines as required.
03.04.02	Configuration Settings	Establish, document, and implement configuration settings that reflect the most restrictive mode consistent with operati...
03.04.03	Configuration Change Control	Define and document types of changes that require configuration change control; review proposed changes; approve or disa...
03.04.04	Impact Analyses	Analyze security impact of changes prior to implementation; test, validate, and document changes before deployment.
03.04.05	Access Restrictions for Change	Define, document, approve, and enforce physical and logical access restrictions associated with system changes.
03.04.06	Least Functionality	Configure system to provide only essential capabilities; prohibit or restrict use of specified functions, ports, protoco...
03.04.08	Authorized Software - Allow by Exception	Identify software authorized to execute; implement deny-all, allow-by-exception policy; review and update list periodica...
03.04.10	System Component Inventory	Develop and document an inventory of system components that reflects the current system; review and update inventory per...
03.04.11	Information Location	Identify and document the location of CUI and the system components on which it is processed and stored.
03.04.12	System and Component Configuration for High-Risk Areas	Issue specifically configured systems to individuals traveling to high-risk locations; apply additional safeguards on re...

03.05 IA (Identification and Authentication)

8 controls

Controls in the 03.05 IA (Identification and Authentication) domain of NIST SP 800-171 Rev 3 — 8 controls
Code	Title	Description
03.05.01	User Identification and Authentication	Uniquely identify and authenticate system users and associate that unique identification with processes acting on behalf...
03.05.02	Device Identification and Authentication	Uniquely identify and authenticate devices before establishing a connection.
03.05.03	Multi-Factor Authentication	Implement MFA for access to privileged accounts and for access to non-privileged accounts.
03.05.04	Replay-Resistant Authentication	Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.
03.05.05	Identifier Management	Manage system identifiers by receiving authorization, selecting an identifier, assigning to intended individual/group/ro...
03.05.07	Password Management	Maintain a list of commonly used, expected, or compromised passwords; verify passwords against the list; transmit passwo...
03.05.11	Authentication Feedback	Obscure feedback of authentication information during authentication.
03.05.12	Authenticator Management	Manage authenticators by verifying identity of receiver, establishing initial content, ensuring adequate strength, secur...

03.06 IR (Incident Response)

5 controls

Controls in the 03.06 IR (Incident Response) domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.06.01	Incident Handling	Implement incident handling capability including preparation, detection and analysis, containment, eradication, recovery...
03.06.02	Incident Monitoring, Reporting, and Response Assistance	Track and document incidents; report incidents to designated personnel and authorities within required timeframes; provi...
03.06.03	Incident Response Testing	Test the incident response capability for the system using defined tests at defined frequency to determine effectiveness...
03.06.04	Incident Response Training	Train personnel in their incident response roles and responsibilities; provide refresher training annually and when chan...
03.06.05	Incident Response Plan	Develop, distribute, review, and update the IR plan; protect from unauthorized disclosure; address CUI compromise report...

03.07 MA (Maintenance)

3 controls

Controls in the 03.07 MA (Maintenance) domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.07.04	Maintenance Tools	Approve, control, and monitor the use of system maintenance tools; check media containing diagnostic and test programs f...
03.07.05	Nonlocal Maintenance	Approve and monitor nonlocal maintenance and diagnostic activities; require MFA for nonlocal maintenance sessions; termi...
03.07.06	Maintenance Personnel	Establish a process for maintenance personnel authorization; supervise maintenance activities of personnel without requi...

03.08 MP (Media Protection)

7 controls

Controls in the 03.08 MP (Media Protection) domain of NIST SP 800-171 Rev 3 — 7 controls
Code	Title	Description
03.08.01	Media Storage	Physically control and securely store digital and non-digital media containing CUI.
03.08.02	Media Access	Restrict access to CUI on system media to authorized personnel or roles.
03.08.03	Media Sanitization	Sanitize or destroy system media containing CUI before disposal, release, or reuse; verify sanitization actions.
03.08.04	Media Marking	Mark system media containing CUI with applicable distribution limitations and handling caveats.
03.08.05	Media Transport	Protect and control system media during transport outside controlled areas; maintain accountability; document activities...
03.08.07	Media Use	Restrict or prohibit the use of types of system media on systems or system components; prohibit use of removable media w...
03.08.09	System Backup - Cryptographic Protection	Protect the confidentiality of backup CUI at storage locations using cryptographic mechanisms.

03.09 PS (Personnel Security)

2 controls

Controls in the 03.09 PS (Personnel Security) domain of NIST SP 800-171 Rev 3 — 2 controls
Code	Title	Description
03.09.01	Personnel Screening	Screen individuals prior to authorizing access to the system and CUI; rescreen at defined frequency.
03.09.02	Personnel Termination and Transfer	Upon termination or transfer, disable access, revoke authenticators/credentials, conduct exit interviews including CUI h...

03.10 PE (Physical Protection)

5 controls

Controls in the 03.10 PE (Physical Protection) domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.10.01	Physical Access Authorizations	Develop, approve, and maintain list of individuals with authorized access to facility where CUI resides; issue credentia...
03.10.02	Monitoring Physical Access	Monitor physical access to the facility where the system resides; review logs of physical access; coordinate review with...
03.10.06	Alternate Work Site	Determine and document alternate work sites allowed; employ controls at alternate work sites; assess feasibility of cont...
03.10.07	Physical Access Control	Enforce physical access authorizations at entry/exit points; maintain visitor logs; control access to keys, combinations...
03.10.08	Access Control for Transmission	Control physical access to system distribution and transmission lines within facilities.

03.11 RA (Risk Assessment)

3 controls

Controls in the 03.11 RA (Risk Assessment) domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.11.01	Risk Assessment	Conduct risk assessments including likelihood and impact of unauthorized access, use, disclosure, disruption, modificati...
03.11.02	Vulnerability Monitoring and Scanning	Monitor and scan for vulnerabilities at defined frequency and when new vulnerabilities are identified; remediate based o...
03.11.04	Risk Response	Respond to findings from risk assessments, security assessments, and monitoring through accepted, transferred, mitigated...

03.12 CA (Security Assessment and Monitoring)

4 controls

Controls in the 03.12 CA (Security Assessment and Monitoring) domain of NIST SP 800-171 Rev 3 — 4 controls
Code	Title	Description
03.12.01	Security Assessment	Assess security requirements in the system at defined frequency to determine if controls are implemented correctly, oper...
03.12.02	Plan of Action and Milestones	Develop and update a POAM to document planned remediation actions for weaknesses identified during assessments; track to...
03.12.03	Continuous Monitoring	Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring of security require...
03.12.05	Information Exchange	Approve and manage the exchange of CUI between systems through information exchange agreements, interconnection security...

03.13 SC (System and Communications Protection)

10 controls

Controls in the 03.13 SC (System and Communications Protection) domain of NIST SP 800-171 Rev 3 — 10 controls
Code	Title	Description
03.13.01	Boundary Protection	Monitor and control communications at external boundaries and key internal boundaries of the system; implement subnetwor...
03.13.04	Information in Shared System Resources	Prevent unauthorized and unintended information transfer via shared system resources.
03.13.06	Network Communications - Deny by Default - Allow by Exception	Deny network communications traffic by default and allow network communications traffic by exception.
03.13.08	Transmission Confidentiality and Integrity	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI and detect changes during transmission.
03.13.09	Network Disconnect	Terminate the network connection associated with a communications session at the end of the session or after a defined p...
03.13.10	Cryptographic Key Establishment and Management	Establish and manage cryptographic keys for cryptography employed in the system in accordance with key management requir...
03.13.11	Cryptographic Protection	Implement FIPS-validated or NSA-approved cryptography for protecting the confidentiality of CUI.
03.13.12	Collaborative Computing Devices and Applications	Prohibit remote activation of collaborative computing devices and applications with specified exceptions; provide indica...
03.13.13	Mobile Code	Define acceptable and unacceptable mobile code and mobile code technologies; authorize, monitor, and control use of mobi...
03.13.15	Session Authenticity	Protect the authenticity of communications sessions.

03.14 SI (System and Information Integrity)

5 controls

Controls in the 03.14 SI (System and Information Integrity) domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.14.01	Flaw Remediation	Identify, report, and correct system flaws; test software and firmware updates for effectiveness and side effects before...
03.14.02	Malicious Code Protection	Implement malicious code protection at system entry and exit points; update protection mechanisms; configure to perform...
03.14.03	Security Alerts, Advisories, and Directives	Receive system security alerts, advisories, and directives from external organizations on an ongoing basis; generate int...
03.14.06	System Monitoring	Monitor the system to detect attacks and indicators of potential attacks; identify unauthorized use of the system; deplo...
03.14.08	Information Management and Retention	Manage and retain CUI within the system and CUI output from the system in accordance with applicable laws, regulations,...

03.15 PL (Planning)

3 controls

Controls in the 03.15 PL (Planning) domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.15.01	Policy and Procedures	Develop, document, and disseminate organization-level policy and procedures for each family of security requirements; re...
03.15.02	System Security Plan	Develop, document, and maintain a system security plan describing the system boundary, environment of operation, securit...
03.15.03	Rules of Behavior	Establish and provide rules of behavior describing user responsibilities; require acknowledgment before authorizing acce...

03.16 SA (System and Services Acquisition)

3 controls

Controls in the 03.16 SA (System and Services Acquisition) domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.16.01	Security Engineering Principles	Apply security engineering principles in the specification, design, development, implementation, and modification of the...
03.16.02	Unsupported System Components	Replace system components when support for the components is no longer available; provide justification and approval for...
03.16.03	External System Services	Require providers of external system services to comply with security requirements; define and document oversight and us...

03.17 SR (Supply Chain Risk Management)

3 controls

Controls in the 03.17 SR (Supply Chain Risk Management) domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.17.01	Supply Chain Risk Management Plan	Develop a plan for managing supply chain risks associated with the development, acquisition, maintenance, and disposal o...
03.17.02	Acquisition Strategies, Tools, and Methods	Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and...
03.17.03	Supply Chain Requirements and Processes	Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes...

Access Control 03.01

16 controls

Controls in the Access Control 03.01 domain of NIST SP 800-171 Rev 3 — 16 controls
Code	Title	Description
03.01.01	Account Management	Define, establish, modify, disable, and remove account types; assign managers; specify membership conditions; authorize...
03.01.02	Access Enforcement	Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access cont...
03.01.03	Information Flow Enforcement	Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems.
03.01.04	Separation of Duties	Identify duties that require separation; define system access authorizations to support separation of duties.
03.01.05	Least Privilege	Allow only authorized access necessary to accomplish assigned tasks; review privileges periodically; reassign or remove...
03.01.06	Least Privilege - Privileged Accounts	Restrict privileged accounts to designated personnel; require non-privileged accounts for non-security functions.
03.01.07	Least Privilege - Privileged Functions	Prevent non-privileged users from executing privileged functions; log execution of privileged functions.
03.01.08	Unsuccessful Logon Attempts	Enforce a limit of consecutive invalid logon attempts and lock the account/node for a defined period.
03.01.09	System Use Notification	Display a system use notification/banner before granting access, per organization-defined conditions.
03.01.10	Device Lock	Prevent further access by initiating device lock after defined inactivity or upon user request; require re-authenticatio...
03.01.11	Session Termination	Terminate user sessions automatically after defined conditions or trigger events.
03.01.12	Remote Access	Establish usage restrictions, configuration requirements, and authorize remote access; route remote access via managed a...
03.01.16	Wireless Access	Establish usage restrictions, configuration requirements, and authorize wireless access; protect with authentication and...
03.01.18	Access Control for Mobile Devices	Establish configuration requirements, connection requirements, and implementation guidance for mobile devices; encrypt C...
03.01.20	Use of External Systems	Establish terms and conditions for use of external systems; restrict use of organizationally controlled storage devices...
03.01.22	Publicly Accessible Content	Designate individuals authorized to make information publicly accessible; train them; review content for CUI prior to po...

Audit Accountability 03.03

8 controls

Controls in the Audit Accountability 03.03 domain of NIST SP 800-171 Rev 3 — 8 controls
Code	Title	Description
03.03.01	Event Logging	Specify event types to be logged; coordinate logging across system components; review event types periodically.
03.03.02	Audit Record Content	Ensure audit records contain information needed to determine what occurred, when, where, source, outcome, and identity o...
03.03.03	Audit Record Generation	Generate audit records for selected event types; retain in accordance with retention requirements.
03.03.04	Response to Audit Logging Process Failures	Alert defined personnel on audit logging process failures; take defined actions when failures occur.
03.03.05	Audit Record Review, Analysis, and Reporting	Review and analyze audit records at defined frequency for indicators of inappropriate or unusual activity; report findin...
03.03.06	Audit Record Reduction and Report Generation	Provide audit record reduction and report generation capability supporting on-demand review, analysis, reporting, and af...
03.03.07	Time Stamps	Use internal system clocks to generate time stamps for audit records; synchronize to authoritative time source.
03.03.08	Protection of Audit Information	Protect audit information and audit logging tools from unauthorized access, modification, and deletion; authorize access...

Awareness Training 03.02

2 controls

Controls in the Awareness Training 03.02 domain of NIST SP 800-171 Rev 3 — 2 controls
Code	Title	Description
03.02.01	Literacy Training and Awareness	Provide security literacy training to system users initially, annually, and after defined events; include insider threat...
03.02.02	Role-Based Training	Provide role-based security training to personnel with assigned security roles before authorizing access, when required...

Configuration Mgmt 03.04

10 controls

Controls in the Configuration Mgmt 03.04 domain of NIST SP 800-171 Rev 3 — 10 controls
Code	Title	Description
03.04.01	Baseline Configuration	Develop, document, and maintain current baseline configurations for the system; review and update baselines as required.
03.04.02	Configuration Settings	Establish, document, and implement configuration settings that reflect the most restrictive mode consistent with operati...
03.04.03	Configuration Change Control	Define and document types of changes that require configuration change control; review proposed changes; approve or disa...
03.04.04	Impact Analyses	Analyze security impact of changes prior to implementation; test, validate, and document changes before deployment.
03.04.05	Access Restrictions for Change	Define, document, approve, and enforce physical and logical access restrictions associated with system changes.
03.04.06	Least Functionality	Configure system to provide only essential capabilities; prohibit or restrict use of specified functions, ports, protoco...
03.04.08	Authorized Software - Allow by Exception	Identify software authorized to execute; implement deny-all, allow-by-exception policy; review and update list periodica...
03.04.10	System Component Inventory	Develop and document an inventory of system components that reflects the current system; review and update inventory per...
03.04.11	Information Location	Identify and document the location of CUI and the system components on which it is processed and stored.
03.04.12	System and Component Configuration for High-Risk Areas	Issue specifically configured systems to individuals traveling to high-risk locations; apply additional safeguards on re...

Identification Authentication 03.05

8 controls

Controls in the Identification Authentication 03.05 domain of NIST SP 800-171 Rev 3 — 8 controls
Code	Title	Description
03.05.01	User Identification and Authentication	Uniquely identify and authenticate system users and associate that unique identification with processes acting on behalf...
03.05.02	Device Identification and Authentication	Uniquely identify and authenticate devices before establishing a connection.
03.05.03	Multi-Factor Authentication	Implement MFA for access to privileged accounts and for access to non-privileged accounts.
03.05.04	Replay-Resistant Authentication	Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.
03.05.05	Identifier Management	Manage system identifiers by receiving authorization, selecting an identifier, assigning to intended individual/group/ro...
03.05.07	Password Management	Maintain a list of commonly used, expected, or compromised passwords; verify passwords against the list; transmit passwo...
03.05.11	Authentication Feedback	Obscure feedback of authentication information during authentication.
03.05.12	Authenticator Management	Manage authenticators by verifying identity of receiver, establishing initial content, ensuring adequate strength, secur...

Incident Response 03.06

5 controls

Controls in the Incident Response 03.06 domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.06.01	Incident Handling	Implement incident handling capability including preparation, detection and analysis, containment, eradication, recovery...
03.06.02	Incident Monitoring, Reporting, and Response Assistance	Track and document incidents; report incidents to designated personnel and authorities within required timeframes; provi...
03.06.03	Incident Response Testing	Test the incident response capability for the system using defined tests at defined frequency to determine effectiveness...
03.06.04	Incident Response Training	Train personnel in their incident response roles and responsibilities; provide refresher training annually and when chan...
03.06.05	Incident Response Plan	Develop, distribute, review, and update the IR plan; protect from unauthorized disclosure; address CUI compromise report...

Maintenance 03.07

3 controls

Controls in the Maintenance 03.07 domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.07.04	Maintenance Tools	Approve, control, and monitor the use of system maintenance tools; check media containing diagnostic and test programs f...
03.07.05	Nonlocal Maintenance	Approve and monitor nonlocal maintenance and diagnostic activities; require MFA for nonlocal maintenance sessions; termi...
03.07.06	Maintenance Personnel	Establish a process for maintenance personnel authorization; supervise maintenance activities of personnel without requi...

Media Protection 03.08

7 controls

Controls in the Media Protection 03.08 domain of NIST SP 800-171 Rev 3 — 7 controls
Code	Title	Description
03.08.01	Media Storage	Physically control and securely store digital and non-digital media containing CUI.
03.08.02	Media Access	Restrict access to CUI on system media to authorized personnel or roles.
03.08.03	Media Sanitization	Sanitize or destroy system media containing CUI before disposal, release, or reuse; verify sanitization actions.
03.08.04	Media Marking	Mark system media containing CUI with applicable distribution limitations and handling caveats.
03.08.05	Media Transport	Protect and control system media during transport outside controlled areas; maintain accountability; document activities...
03.08.07	Media Use	Restrict or prohibit the use of types of system media on systems or system components; prohibit use of removable media w...
03.08.09	System Backup - Cryptographic Protection	Protect the confidentiality of backup CUI at storage locations using cryptographic mechanisms.

Personnel Security 03.09

2 controls

Controls in the Personnel Security 03.09 domain of NIST SP 800-171 Rev 3 — 2 controls
Code	Title	Description
03.09.01	Personnel Screening	Screen individuals prior to authorizing access to the system and CUI; rescreen at defined frequency.
03.09.02	Personnel Termination and Transfer	Upon termination or transfer, disable access, revoke authenticators/credentials, conduct exit interviews including CUI h...

Physical Protection 03.10

5 controls

Controls in the Physical Protection 03.10 domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.10.01	Physical Access Authorizations	Develop, approve, and maintain list of individuals with authorized access to facility where CUI resides; issue credentia...
03.10.02	Monitoring Physical Access	Monitor physical access to the facility where the system resides; review logs of physical access; coordinate review with...
03.10.06	Alternate Work Site	Determine and document alternate work sites allowed; employ controls at alternate work sites; assess feasibility of cont...
03.10.07	Physical Access Control	Enforce physical access authorizations at entry/exit points; maintain visitor logs; control access to keys, combinations...
03.10.08	Access Control for Transmission	Control physical access to system distribution and transmission lines within facilities.

Planning 03.15

3 controls

Controls in the Planning 03.15 domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.15.01	Policy and Procedures	Develop, document, and disseminate organization-level policy and procedures for each family of security requirements; re...
03.15.02	System Security Plan	Develop, document, and maintain a system security plan describing the system boundary, environment of operation, securit...
03.15.03	Rules of Behavior	Establish and provide rules of behavior describing user responsibilities; require acknowledgment before authorizing acce...

Risk Assessment 03.11

3 controls

Controls in the Risk Assessment 03.11 domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.11.01	Risk Assessment	Conduct risk assessments including likelihood and impact of unauthorized access, use, disclosure, disruption, modificati...
03.11.02	Vulnerability Monitoring and Scanning	Monitor and scan for vulnerabilities at defined frequency and when new vulnerabilities are identified; remediate based o...
03.11.04	Risk Response	Respond to findings from risk assessments, security assessments, and monitoring through accepted, transferred, mitigated...

Security Assessment 03.12

4 controls

Controls in the Security Assessment 03.12 domain of NIST SP 800-171 Rev 3 — 4 controls
Code	Title	Description
03.12.01	Security Assessment	Assess security requirements in the system at defined frequency to determine if controls are implemented correctly, oper...
03.12.02	Plan of Action and Milestones	Develop and update a POAM to document planned remediation actions for weaknesses identified during assessments; track to...
03.12.03	Continuous Monitoring	Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring of security require...
03.12.05	Information Exchange	Approve and manage the exchange of CUI between systems through information exchange agreements, interconnection security...

Supply Chain Risk Mgmt 03.17

3 controls

Controls in the Supply Chain Risk Mgmt 03.17 domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.17.01	Supply Chain Risk Management Plan	Develop a plan for managing supply chain risks associated with the development, acquisition, maintenance, and disposal o...
03.17.02	Acquisition Strategies, Tools, and Methods	Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and...
03.17.03	Supply Chain Requirements and Processes	Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes...

System Communications Protection 03.13

10 controls

Controls in the System Communications Protection 03.13 domain of NIST SP 800-171 Rev 3 — 10 controls
Code	Title	Description
03.13.01	Boundary Protection	Monitor and control communications at external boundaries and key internal boundaries of the system; implement subnetwor...
03.13.04	Information in Shared System Resources	Prevent unauthorized and unintended information transfer via shared system resources.
03.13.06	Network Communications - Deny by Default - Allow by Exception	Deny network communications traffic by default and allow network communications traffic by exception.
03.13.08	Transmission Confidentiality and Integrity	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI and detect changes during transmission.
03.13.09	Network Disconnect	Terminate the network connection associated with a communications session at the end of the session or after a defined p...
03.13.10	Cryptographic Key Establishment and Management	Establish and manage cryptographic keys for cryptography employed in the system in accordance with key management requir...
03.13.11	Cryptographic Protection	Implement FIPS-validated or NSA-approved cryptography for protecting the confidentiality of CUI.
03.13.12	Collaborative Computing Devices and Applications	Prohibit remote activation of collaborative computing devices and applications with specified exceptions; provide indica...
03.13.13	Mobile Code	Define acceptable and unacceptable mobile code and mobile code technologies; authorize, monitor, and control use of mobi...
03.13.15	Session Authenticity	Protect the authenticity of communications sessions.

System Information Integrity 03.14

5 controls

Controls in the System Information Integrity 03.14 domain of NIST SP 800-171 Rev 3 — 5 controls
Code	Title	Description
03.14.01	Flaw Remediation	Identify, report, and correct system flaws; test software and firmware updates for effectiveness and side effects before...
03.14.02	Malicious Code Protection	Implement malicious code protection at system entry and exit points; update protection mechanisms; configure to perform...
03.14.03	Security Alerts, Advisories, and Directives	Receive system security alerts, advisories, and directives from external organizations on an ongoing basis; generate int...
03.14.06	System Monitoring	Monitor the system to detect attacks and indicators of potential attacks; identify unauthorized use of the system; deplo...
03.14.08	Information Management and Retention	Manage and retain CUI within the system and CUI output from the system in accordance with applicable laws, regulations,...

System Services Acquisition 03.16

3 controls

Controls in the System Services Acquisition 03.16 domain of NIST SP 800-171 Rev 3 — 3 controls
Code	Title	Description
03.16.01	Security Engineering Principles	Apply security engineering principles in the specification, design, development, implementation, and modification of the...
03.16.02	Unsupported System Components	Replace system components when support for the components is no longer available; provide justification and approval for...
03.16.03	External System Services	Require providers of external system services to comply with security requirements; define and document oversight and us...

Frequently Asked Questions

What is NIST SP 800-171 Rev 3?

NIST SP 800-171 Rev 3 is a compliance framework from United States with 34 domains and 194 controls. NIST SP 800-171 Rev 3 (May 2024). Restructured requirements for CUI protection. Note CMMC 2.0 still references Rev 2. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-171 Rev 3 have?

NIST SP 800-171 Rev 3 has 194 controls organised across 34 domains. The largest domains are 03.01 AC (Access Control) (16 controls), Access Control 03.01 (16 controls), 03.04 CM (Configuration Management) (10 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-171 Rev 3 map to?

NIST SP 800-171 Rev 3 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-171 Rev 3 compliance?

Start your NIST SP 800-171 Rev 3 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-171 Rev 3 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 194 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required