NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Control Family: Access Control

Control Type: Basic

SPRS Value: 5

CMMC Level(s):

AC.L1-b.1.ii
AC.L2-3.1.2

Top Ten Failed Requirement: No

Referenced in:

FAR Clause 52.204 b.1.ii

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

  • AC-2

  • AC-3

  • AC-17

Discussion:

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Determining Statements (NIST SP 800-171Ar2)

Upon assessment, assessors must determine if-

3.1.2[a] the types of transactions and functions that authorized users are permitted to
execute are defined.
3.1.2[b] system access is limited to the defined types of transactions and functions for
authorized users.

Assessors are instructed to-

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].

Test: [SELECT FROM: Mechanisms implementing access control policy].

FURTHER DISCUSSION

Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities. Limit access to applications and data based on the authorized users’ roles and responsibilities. Common types of functions a user can be assigned are create, read, update, and delete.

Example

Your team manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains CUI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implemeting this access control restricts access to CUI information unless specifically authorized.

Potential Assessment Considerations

  • Are access control lists used to limit access to applications and data based on role and/or identity [a]?

  • Is access for authorized users restricted to those parts of the system they are explicitly permitted to use (e.g., a person who only performs word-processing cannot access developer tools) [b]?

Frameworks & Controls