Organization-Defined Parameters for NIST 800-171 r3

The Department of Defense (DoD) published the organization-defined parameters for NIST 800-171 Revision 3. Organization-defined parameters (ODPs) allow organizations to tailor select security controls to specific security requirements, as determined by unique organizational risk management strategies. To determine the ODPs, input was collected from DoD offices, external government agencies, and subject matter experts from research and development centers. Additional input from industry stakeholders was included where appropriate.

Here are some of the NIST 800-171 r3 controls with notable ODPs. A full list can be found in this DoD document.

3.1.1 System Account Management

• Disable inactive accounts within 90 days.
• Notify account managers and designated personnel within 24 hours when:
  • Accounts are no longer required
  • Users are terminated or transferred
  • System usage or the need-to-know changes for an individual
• Require that users log out of the system after no more than 24 hours of expected inactivity or when the work period ends.

3.1.10 Device Lock

• Prevent access to the system by initiating a device lock after no more than 15 minutes of inactivity, requiring the user to initiate a device lock before leaving the system unattended.

3.2.1 Security Literacy Training

• Provide security literacy training to system users:
  • As part of the initial training for new users and at least every twelve months
  • When required by system changes or following significant, novel incidents, or significant changes to risks
• Update security literacy training content at least every twelve months and following significant, novel incidents or significant changes to risks.

3.3.1 Event Logging

• Specify the following event types selected for logging within the system:

1. Authentication events:
   • a) Logons (Success/Failure)
   • b) Logoffs (Success)
2. Security Relevant File and Objects events:
   • Create (Success/Failure)
   • Access (Success/Failure)
   • Delete (Success/Failure)
   • Modify (Success/Failure)
   • Permission Modification (Success/Failure)
   • Ownership Modification (Success/Failure)
3. Export/Writes/downloads to devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)
4. Import/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) (Success/Failure)
5. User and Group Management events:
   • User add, delete, modify, disable, lock (Success/Failure)
   • Group/Role add, delete, modify (Success/Failure)
6. Use of Privileged/Special Rights events:
   • Security or audit policy changes (Success/Failure)
   • Configuration changes (Success/Failure)
7. Admin or root-level access (Success/Failure)
8. Privilege/Role escalation (Success/Failure)
9. Audit and security-relevant log data accesses (Success/Failure)
10. System reboot, restart, and shutdown (Success/Failure)
11. Print to a device (Success/Failure)
12. Print to a file (e.g., PDF format) (Success/Failure)
13. Application (e.g., Adobe, Firefox, MS Office Suite) initialization (Success/Failure)

• Review and update the event types selected for logging at least every twelve months and after any significant incidents or significant changes to risks.

3.4.2 Configuration Settings

• Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: Apply the appropriate use of common security configurations available from the NIST National Checklist Program (NCP) website and prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other unauthorized connection to resources in external networks. Document any deviations from the published standard or source document.

3.4.10 System Component Inventory

• Review and update the system component inventory at least quarterly.

3.5.5 Identifier Management

• Prevent the reuse of identifiers for at least ten years.

3.5.7 Password Management

• Maintain a list of commonly used, expected, or compromised passwords, and update the list at least quarterly and when organizational passwords are suspected to have been compromised.
• Enforce the following composition and complexity rules for passwords: Must have a minimum length of sixteen characters and contain a string of characters that does not include the user’s account name or full name.

3.11.2 System Vulnerability Management

• Monitor and scan the system for vulnerabilities at least monthly, or when there are significant incidents or significant changes to risks, and when new vulnerabilities affecting the system are identified.
• Remediate system vulnerabilities within thirty days from the date of discovery for high-risk vulnerabilities, ninety days from the date of discovery for moderate-risk vulnerabilities, and 180 days from the date of discovery for low-risk vulnerabilities.
• Update system vulnerabilities to be scanned no more than 24 hours prior to running the scans and when new vulnerabilities are identified and reported.

3.13.11 Cryptography for Confidentiality of CUI

• Implement FIPS Validated Cryptography to protect the confidentiality of CUI.

NIST 800-171 r3 and CMMC

The Cybersecurity Maturity Model Certification (CMMC) program is currently based on NIST 800-171 Revision 2. The DoD’s publication of Organization Defined Parameters (ODPs) suggests a potentially accelerated adoption of NIST 800-171 Revision 3 for CMMC.

CompliancePoint has a team of cybersecurity professionals that can guide your organization to compliance with NIST 800-171, 800-53, or the NIST CSF. Contact us at connect@compliancepoint.com to learn more about our services.