Home › Control Library

The Control Library

NIST SP 800-171, control by control — what each requirement actually means, what an assessor looks for, where teams trip up, and the evidence you need. Plain English, free. All 110 controls, across all 14 families.
A working reference, not a source of truth. Every environment differs — your System Security Plan and your assessor decide what satisfies a control. Use this to understand the intent and the common bar, then document your own implementation.
3.1 Access Control3.2 Awareness & Training3.3 Audit & Accountability3.4 Configuration Management3.5 Identification & Authentication3.6 Incident Response3.7 Maintenance3.8 Media Protection3.9 Personnel Security3.10 Physical Protection3.11 Risk Assessment3.12 Security Assessment3.13 System & Communications Protection3.14 System & Information Integrity

3.1 Access Control

3.1.1 — Limit who (and what) can get in5 pts3.1.2 — Limit what users can do5 pts3.1.3 — Control the flow of CUI1 pt3.1.4 — Separate duties1 pt3.1.5 — Least privilege (especially for admins)3 pts3.1.6 — Use non-privileged accounts for routine work1 pt3.1.7 — Restrict and log privileged functions1 pt3.1.8 — Limit failed logons1 pt3.1.9 — Show privacy and security notices1 pt3.1.10 — Lock idle screens1 pt3.1.11 — End sessions automatically1 pt3.1.12 — Monitor and control remote access5 pts3.1.13 — Encrypt remote access sessions5 pts3.1.14 — Funnel remote access through managed points1 pt3.1.15 — Authorize privileged remote actions1 pt3.1.16 — Authorize wireless access first5 pts3.1.17 — Protect wireless with authentication + encryption5 pts3.1.18 — Control mobile device connections5 pts3.1.19 — Encrypt CUI on mobile devices3 pts3.1.20 — Control connections to external systems1 pt3.1.21 — Limit portable storage on external systems1 pt3.1.22 — Control what goes on public systems1 pt

3.2 Awareness & Training

3.2.1 — Make everyone security-aware5 pts3.2.2 — Train people for their security duties5 pts3.2.3 — Train on insider-threat indicators1 pt

3.3 Audit & Accountability

3.3.1 — Create and retain audit logs5 pts3.3.2 — Trace actions to individual users3 pts3.3.3 — Review and update what you log1 pt3.3.4 — Alert when logging breaks1 pt3.3.5 — Correlate and review your logs5 pts3.3.6 — Reduce logs and generate reports1 pt3.3.7 — Synchronize clocks for time stamps1 pt3.3.8 — Protect your logs from tampering1 pt3.3.9 — Limit who manages logging1 pt

3.4 Configuration Management

3.4.1 — Inventory and baseline your systems5 pts3.4.2 — Enforce secure configuration settings5 pts3.4.3 — Control and log changes1 pt3.4.4 — Check changes before you make them1 pt3.4.5 — Restrict who can make changes5 pts3.4.6 — Least functionality5 pts3.4.7 — Block nonessential ports and services5 pts3.4.8 — Control which software can run5 pts3.4.9 — Control user-installed software1 pt

3.5 Identification & Authentication

3.5.1 — Uniquely identify users, processes, and devices5 pts3.5.2 — Authenticate before access5 pts3.5.3 — Multifactor authentication (MFA)5 pts3.5.4 — Replay-resistant authentication1 pt3.5.5 — Don't recycle identifiers1 pt3.5.6 — Disable dormant accounts1 pt3.5.7 — Enforce password complexity1 pt3.5.8 — Block password reuse1 pt3.5.9 — Force change of temporary passwords1 pt3.5.10 — Protect stored and transmitted passwords5 pts3.5.11 — Obscure authentication feedback1 pt

3.6 Incident Response

3.6.1 — Have an incident-response capability5 pts3.6.2 — Track and report incidents5 pts3.6.3 — Test your incident response1 pt

3.7 Maintenance

3.7.1 — Perform system maintenance3 pts3.7.2 — Control maintenance tools and personnel5 pts3.7.3 — Sanitize equipment before offsite service1 pt3.7.4 — Scan maintenance media for malware3 pts3.7.5 — MFA for remote maintenance5 pts3.7.6 — Supervise outside maintenance staff1 pt

3.8 Media Protection

3.8.1 — Protect and store CUI media3 pts3.8.2 — Limit who can access CUI media3 pts3.8.3 — Sanitize or destroy media5 pts3.8.4 — Mark CUI media1 pt3.8.5 — Control CUI media in transit1 pt3.8.6 — Encrypt CUI on media in transit1 pt3.8.7 — Control removable media5 pts3.8.8 — Ban ownerless USB drives3 pts3.8.9 — Protect backup CUI1 pt

3.9 Personnel Security

3.9.1 — Screen people before access3 pts3.9.2 — Protect CUI during personnel changes5 pts

3.10 Physical Protection

3.10.1 — Limit physical access5 pts3.10.2 — Protect and monitor the facility5 pts3.10.3 — Escort and monitor visitors1 pt3.10.4 — Keep physical access logs1 pt3.10.5 — Manage physical access devices1 pt3.10.6 — Safeguard CUI at remote work sites1 pt

3.11 Risk Assessment

3.11.1 — Assess your risk3 pts3.11.2 — Scan for vulnerabilities5 pts3.11.3 — Remediate vulnerabilities1 pt

3.12 Security Assessment

3.12.1 — Test your controls5 pts3.12.2 — Plan to fix deficiencies (POA&M)3 pts3.12.3 — Monitor controls continuously5 pts3.12.4 — Write your System Security Plan (SSP)Required

3.13 System & Communications Protection

3.13.1 — Protect your boundaries5 pts3.13.2 — Build security in by design5 pts3.13.3 — Separate user and admin functions1 pt3.13.4 — Stop data leaking through shared resources1 pt3.13.5 — Wall off your public-facing systems5 pts3.13.6 — Deny all, permit by exception5 pts3.13.7 — Block split tunneling on VPNs1 pt3.13.8 — Encrypt CUI in transit3 pts3.13.9 — Drop idle network sessions1 pt3.13.10 — Manage your encryption keys1 pt3.13.11 — FIPS-validated cryptography5 pts3.13.12 — Control cameras and microphones1 pt3.13.13 — Control mobile code1 pt3.13.14 — Control and monitor VoIP1 pt3.13.15 — Protect session authenticity5 pts3.13.16 — Encrypt CUI at rest1 pt

3.14 System & Information Integrity

3.14.1 — Patch and remediate flaws5 pts3.14.2 — Run anti-malware protection5 pts3.14.3 — Act on security advisories5 pts3.14.4 — Keep anti-malware current5 pts3.14.5 — Scan systems and files3 pts3.14.6 — Monitor for attacks5 pts3.14.7 — Identify unauthorized use3 pts

Find out where you stand — free

Score yourself against all 110 requirements in about 10 minutes, then document them with the SSP generator.

Calculate your SPRS score →