Nist 800-171

Access Control:

    3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    3.1.3 Control the flow of CUI in accordance with approved authorizations.
    3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
    3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
    3.1.6 Use non-privileged accounts or roles when accessing non-security functions.
    3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
    3.1.8 Limit unsuccessful logon attempts.
    3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
    3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
    3.1.11 Terminate (automatically) a user session after a defined condition.
    3.1.12 Monitor and control remote access sessions.
    3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
    3.1.14 Route remote access via managed access control points.
    3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
    3.1.16 Authorize wireless access prior to allowing such connections.
    3.1.17 Protect wireless access using authentication and encryption.
    3.1.18 Control connection of mobile devices.
    3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
    3.1.20 Verify and control/limit connections to and use of external systems.
    3.1.21 Limit use of portable storage devices on external systems.
    3.1.22 Control CUI posted or processed on publicly accessible systems.

     

    RELEVANT INFORMATION:

    These controls focus on implementing strong access management and security measures. They limit system access to authorized users and approved functions, employ the principle of least privilege, and separate duties to prevent collusion. Auditing, encryption, and access controls are used for remote and wireless access, mobile devices, and external connections. Privacy and security notices are provided, and session locks prevent unauthorized access. The controls ensure data protection and integrity, especially for Controlled Unclassified Information (CUI) on publicly accessible systems. Overall, they establish a comprehensive framework to safeguard organizational data and assets.

     

    Resources to consider:

    3.1.1

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.