Guide to NIST SP 800-171 & CMMC 2.0 Security Control Domains
Learn the objectives of each security control family.
Join our newsletter:
NIST SP 800-171 consists of 14 different security domains. The security controls from these families cover everything from visitor access to your offices, to anti-malware protections. The diversity of security controls is what makes NIST SP 800-171 an effective security control framework for organizations, which is why it is required for DoD contractors who process, store, or transmit controlled unclassified information.
The objective of the access control domain is to limit access to your systems and data. This includes limiting persons who can log into your systems, limiting system access to authorized devices, limiting permissions so that users, devices, and processes can only access the resources they need to fulfill mission requirements. Examples of access controls include account management, separation of duties, least privilege, and session locks.
Awareness and Training
The objective of the awareness and training domain is to educate users on common security threats, security best practices, and security policies. Training covers both privileged and non-privileged users. Privileged users receive additional role-relevant training. Security awareness training is critical as it improves user resiliency against cyber-attacks particularly social engineering attacks and insider threats.
Audit and Accountability
The objective of the audit and accountability domain is to record system and security logs on systems to support the monitoring, investigation, and reporting of system activity. It also seeks to ensure that system audit logs can be traced back to users so that they can be held accountable for their actions.
The objective of the configuration management domain is to ensure that information system components such as endpoints, network devices, cloud resources, and servers maintain secure configurations. This involves creating hardware and software inventories, creating secure baseline configurations, deploying secure baseline configurations, maintaining these baselines, and requiring information system changes to be tested and approved prior to deployment.
Identification and Authentication
The objective of the identification and authentication domain is to verify the identity of users and devices before granting them access to your information system. This involves creating unique user and device identifiers such as user names and computer names, requiring the use of strong passwords and multifactor authentication.
The objective of the incident response domain is for companies to establish an incident response capability, to prepare for incidents, detect, analyze, contain, recover, document, and report incidents. This involves creating an incident response plan, creating an incident response team, and testing your incident response capabilities.
The objective of the maintenance domain is to ensure that organizations perform timely and authorized maintenance on their systems in accordance with best practices and in a manner that is conducive to security. Maintenance is performed on both hardware and software (e.g., operating systems). Maintenance involves performing preventative, corrective, and adaptive maintenance. The maintenance domain also covers the secure performance on maintenance.
The objective of the media protection domain is to protect the data stored on both digital and non-digital media from unauthorized access. Digital media includes storage devices such as hard drives and thumb drives. Non-digital media includes paper work. Media is protected by using locked containers, encryption, and proper media disposal techniques.
The goal of the personnel security domain is to minimize the risk staff pose to your assets. This includes the malicious use of their legitimate system access. Employees often have access to sensitive information. The personnel security domain seeks to ensure that your company hires trustworthy staff and follows established procedures when terminating or transferring staff.
The objective of the physical protection domain is to limit physical access to your facilities, systems, support infrastructure, and equipment to authorized persons. This accomplished using locked entrances, ID badges, security cameras, and visitor escort procedures.
The objective of the risk assessment domain is for companies to identify, evaluate, and manage risk. It is unrealistic to eliminate all risk, however proper risk management reduces risk. Risks are identified by performing risk assessments and are documented in a risk assessment report.
The objective of the security assessment domain is for companies to periodically assess the implementation of their security practices to verify their effectiveness. Any ineffective or absent security practices are to be documented and mitigated at a later date. Security Assessments often involve reviewing your system security plan.
System and Communications Protections
The objective of the system and communications protection domain is to provide safeguards that protect systems as well as information at rest and in transit. This domain involves the implementation of network segmentation, encrypted communications, and configuration settings limiting the use of mobile code.
System and Information Integrity
The objective of the system and information integrity domain it to assure that the information system is free of malicious code and that appropriate measures are in place to prevent the installation of malicious code. This generally involves the use anti-malware software, intrusion detection and prevention systems, as well as vulnerability scanning.
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.