NIST Risk Assessment Checklist

The Department of Defense has given qualified contractors until the end of the year to comply with the NIST 800-171 requirements.

Schedule your assessment

NIST Risk Assessment Checklist – Last Updated January 2019

The Department of Defense has given qualified contractors until the end of the year to comply with the NIST 800-171 requirements..

1. Access Control

  • Limit information system access to authorized users.

  • Separate the duties of individuals to reduce the risk of malevolent collusion.

  • Limit unsuccessful login attempts.

  • Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points.

2. Awareness and training

  • Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures.

  • Provide security awareness training on recognizing and reporting potential indicators of insider threat.

3. Audit and accountability

  • Use automated mechanisms to integrate and correlate audit and reporting processes.

  • Support on-demand analysis and reporting.

4. Configuration management

  • Limit the types of programs user can install.

  • Control and monitor all user-installed software.

5. Identification and authentication

  • Prevent reuse of identifiers for a defined period.

  • Disable identifiers after a defined period of inactivity.

  • Enforce minimum password complexity, i.e., “smart passwords” and implement a dual authentication solution like DUO.

  • Develop and test an 7. Maintenance

    • Ensure equipment removed off-site is sanitized of any CUI.

    • Require multifactor authentication to establish nonlocal maintenance.

    8. Media protection

    • Protect (i.e., physically control and securely store) information system media (paper and digital) containing CUI.

    • Sanitize or destroy information system media containing CUI before disposal or release for reuse.

    9. Personnel Security

    • Screen individuals prior to authorizing access to systems containing CUI.

    10. Physical protection

    • Maintain audit logs of physical access.

    • Control and manage physical access devices.

    11. Risk assessment

    • Scan for and remediate vulnerabilities in the information system and applications.

    12. Security Assessment

    • Periodically assess and monitor the security controls for effectiveness in their applications.

    • Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities.

    13. System and Communications Protection

    • Separate user functionality from information system management functionality.

    • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission.

    • Control and monitor the use of Voice over Internet Protocol technologies.

    14. System and information integrity

    • Update malicious code protection mechanisms when new releases are available.

    • Identify unauthorized use of the information system.