NIST 800-171 Compliance

Maytech is a certified ISO 27001 compliant organisation, a globally recognised standard for information security, which NIST 800-171 is equivalent to. This article explains the NIST 800-171 standard and explains the differences between them.

Skip to the end for a breakdown of areas which do not map directly.

How Does the International Standard ISO 27001 Map to the US Standard NIST 800-171?

While ISO 27001 and NIST 800-171 cover the same areas of information security, there are some differences in the way they are implemented, which requires clarification to demonstrate compliance, depending on which standard you are operating under.

US Federal Data Security NIST 800-57 vs. NIST 800-171

NIST 800-171 is designed for non-Federal (commercial) enterprises, whereas NIST 800-57 is specifically designed for Federal systems and organisations.

This article covers the requirements for NIST 800-171, although as data security experts, whatever standards you are working to, we are confident we will be able to meet your compliance requirements.

Mapping ISO 27001 to NIST 800-171

Appendix D of the NIST 800-171 (Revision 1) publication maps each requirement statement against the equivalent control in ISO 27001. Because of the close approximation, compliance with one implies compliance with both standards.

However, there are some NIST 800-171 requirements which have no direct mapping, or the equivalent ISO 27001 control has an asterisk against it, indicating that the ISO control “does not fully satisfy the intent of the NIST control”.

For each of these areas, Maytech can confirm we are conformant and are able to provide further details for each of the specific areas on request.

Please see the table below containing details of the specific differences, taken from Appendix D of NIST 800-171:

NIST 800-171 requirement NIST SP 800-53
Relevant Security Controls
Maytech compliance status
3.1.5 AC-6(1) Least Privilege
Authorize Access to Security Functions
AC-6(5) Least Privilege
Privileged Accounts
3.1.6 AC-6(2) Least Privilege
Non-Privileged Access for Non-security Functions
3.1.7 AC-6(9) Least Privilege
Auditing Use of Privileged Functions
AC-6(10) Least Privilege
Prohibit Non-Privileged Users from Executing Privileged Functions
3.1.10 AC-11(1) Session Lock
Pattern-Hiding Displays
3.1.11 AC-12 Session Termination
3.1.12 AC-17(1) Remote Access
Automated Monitoring / Control
3.1.13 AC-17(2) Remote Access
Protection of Confidentiality / Integrity Using Encryption
3.1.14 AC-17(3) Remote Access
Managed Access Control Points
3.1.15 AC-17(4) Remote Access
Privileged Commands / Access
3.1.17 AC-18(1) Wireless Access
Authentication and Encryption
3.1.19 AC-19(5) Access Control for Mobile Devices
Full Device / Container-Based Encryption
3.1.20 AC-20(1) Use of External Systems
Limits on Authorized Use
3.1.21 AC-20(2) Use of External Systems
Portable Storage Devices
3.1.22 AC-22 Publicly Accessible Content
3.2.1-3.2.2 AT-3 Role-Based Security
3.2.3 AT-2(2) Security Awareness Training
Insider Threat
3.3.1-3.3.2 AU-2 Audit events
AU-3 Content of Audit Records
AU-3(1) Content of Audit Records
Additional Audit Information
3.3.3 AU-2(3) Audit events
Reviews and Updates
3.3.4 AU-5 Response to Audit
Processing Failures
3.3.5 AU-6(3) Audit Review, Analysis, and Reporting
Correlate Audit Repositories
3.3.6 AU-7 Audit Reduction and Report Generation
3.3.7 AU-8(1) Time Stamps
Synchronization with Authoritative Time Source
3.3.9 AU-9(4) Protection of Audit Information
Access by Subset of Privileged Users
3.4.1, 3.4.2 CM-2 Baseline Configuration
CM-6 Configuration Settings
CM-8(1) System Component Inventory
Updates During Installations / Removals
3.4.6 CM-7 Least Functionality
3.4.7 CM-7(1) Least Functionality
Periodic Review
CM-7(2) Least Functionality
Prevent program execution
3.4.8 CM-7(4) Least Functionality
Unauthorized Software/ Blacklisting
CM-7(5) Least Functionality
Authorized Software/ Whitelisting
3.5.1, 3.5.2 IA-3 Device Identification and Authentication
3.5.3 IA-2(1) Identification and Authentication (Organisational Users)
Network Access to Privileged Accounts
IA-2(2) Identification and Authentication (Organisational Users)
Network Access to Non-Privileged Accounts
IA-2(3) Identification and Authentication (Organisational Users)
Local Access to Privileged Accounts
3.5.4 IA-2(8) Identification and Authentication (Organisational Users)
Network Access to Privileged Accounts-Replay Resistant
IA-2(9) Identification and Authentication (Organisational Users)
Network Access to Non- Privileged Accounts-Replay Resistant
3.5.7-10 IA-5(1) Authenticator Management
Password-Based Authentication
3.6.1 IR-2 Incident Response Training
3.6.1-2 IR-5 Incident Monitoring
IR-7 Incident Response Assistance
3.6.3 IR-3 Incident Response Testing
3.7.1 MA-2 Controlled Maintenance
3.7.1-2 MA-3 Maintenance Tools
MA-3(1) Maintenance Tools
Inspect Tools
MA-3(2) Maintenance Tools
Inspect Media
3.7.3 MA-2 Controlled Maintenance
3.7.4 MA-3(2) Maintenance Tools
3.7.5 MA-4 Non-local Maintenance
3.7.6 MA-5 Maintenance Personnel
3.8.6 MP-5(4) Media Transport
Cryptographic Protection
3.8.8 MP-7(1) Media Use
Prohibit Use Without Owner
3.10.1 PE-2 Physical Access Authorizations
3.10.1-2 PE-6 Monitoring Physical Access
3.11.1 RA-3 Risk Assessment
3.11.2, 3.11.3 RA-5 Vulnerability Scanning
3.11.2 RA-5(5) Vulnerability Scanning
Privileged Access
3.12 CA-5 Plan of Action and Milestones
CA-7 Continuous Monitoring
3.13.3 SC-2 Application Partitioning
3.13.4 SC-4 Information in Shared Resources
3.13.6 SC-7(5) Boundary Protection
Deny by Default / Allow by Exception
3.13.7 SC-7(7) Boundary Protection
Prevent Split Tunneling for Remote Devices
SC-8(1) Transmission Confidentiality and Integrity
Cryptographic or Alternate Physical Protection
3.13.12 SC-15 Collaborative Computing Devices
3.13.13 SC-18 Mobile Code
3.13.14 SC-19 Voice over Internet Protocol
3.13.15 SC-23 Session Authenticity
3.13.16 SC-28 Protection of Information at Rest
3.14.3 SI-5 Security Alerts, Advisories, and Directives
3.14.6 SI-4 System Monitoring
SI-4(4) System Monitoring
Inbound and Outbound Communications Traffic
3.14.7 SI-4 System Monitoring

Maytech is a security specialist and works hard to maintain a very secure file sharing platform for our customers. If you have any questions on compliance or our services, please contact us to discuss the specific requirements for your organization.