NIST 800-171 compliance: Keep controlled unclassified information (CUI) safe
UserLock directly addresses three high-priority security requirements of NIST 800-171, 3.1 Access Control, 3.3 Audit and Accountability and 3.5 Identification and Authentication.
NIST Special Publication (SP) 800-171 compliance sets out organizations handling controlled unclassified information (CUI). Designed to protect the confidentiality of sensitive information, NIST 800-171 ensures strong data protection and access security for non-federal organizations that work with the U.S. federal government and manage CUI on their IT networks.
The National Institute of Standards and Technology (NIST) oversees cybersecurity and information technology standards in the U.S. The NIST 800 series focuses on IT security, initially focusing on U.S. federal government systems, and later expanding to boost the cybersecurity posture of non-federal organizations. In this sense, NIST 800-171 is a companion to NIST 800-53. While NIST 800-53 focuses on cybersecurity compliance standards for U.S. federal information systems, NIST SP 800-171 governs controlled unclassified information (CUI) in non-federal information systems and organizations. It is essentially a set of standards defining how to safeguard and distribute data that’s sensitive but not classified.
Any organization handling CUI as part of its contracts with the U.S. government must comply with NIST SP 800-171. This includes federal contractors, subcontractors, and any business or agency that processes, stores, or transmits CUI. Government agencies cannot award contracts to an organization that is not NIST 800-171 compliant.
The cost of a NIST 800-171 assessment varies depending on the organization’s size and setup. For a smaller company with a straightforward IT environment, costs range from $5,000 to $15,000. Larger organizations with more complex networks can expect higher costs, often more than $50,000. Costs can also increase if the organization brings in third-party consultants to address identified gaps.
Yes. NIST SP 800-171 requires multi-factor authentication (MFA) for access to CUI in specific scenarios. MFA is required for all privileged users, such as administrators, and for all remote access to systems that handle CUI. Organizations must require at least two factors to verify the user’s identity before granting access to CUI. MFA is key to meeting NIST 800-171 requirements by helping to lower the risk of unauthorized access to sensitive data.
IS Decisions’ software UserLock directly addresses three high-priority security requirements of NIST 800-171:
3.1 Access control
3.3 Audit and accountability
3.5 Identification and authentication
NIST 800-171 Control | IS Decisions Solution | Feature |
---|---|---|
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) | UserLock | Apply contextual access restrictions to restrict user access by time (working hours), machine or device, IP address, and geolocation. |
3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute | UserLock | Enforce role-based restrictions to limit user access to only what their role requires. |
3.1.3 Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. | UserLock | Restrict system access to specific machines and devices, controlling which endpoints can access the system. |
3.1.6.a Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. | UserLock | Set different access policies for privileged accounts, by user, group or organizational group (OU). |
3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs | UserLock | Implement multi-factor authentication (MFA) on user account control (UAC) requests for administrative tasks or run as administrator requests to prevent non-privileged users from elevating privileges. |
3.1.8.a Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]. | UserLock | Block user accounts after 5 logons denied by UserLock in less than 30 minutes. You can adjust the number of denied logins in X minutes according to your policy. |
3.1.8.b Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded. | UserLock | Block any logon attempts that don’t satisfy customized login restrictions. Set up alerts and run scripts to automatically log off suspect user accounts with one click, denying further logon attempts. |
3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity. | UserLock | Set an automatic forced logoff, on all locked or open machines, after a certain idle time. |
3.1.11 Terminate (automatically) a user session after a defined condition. | UserLock | Set up alerts and run scripts to force logoff a user after a defined condition. Set up alerts and manually block any suspect user accounts with one click. This denies all further logon attempts and closes any existing sessions. |
3.1.12 Monitor and control remote access sessions. | UserLock | Apply MFA and contextual access policies to remote connections – RD Gateway, RDP, RDWeb, RemoteApp, and VPN – for all users (remote or on-premises). |
UserLock delivers powerful access management with contextual access controls and session management capabilities.
Thanks to seamless integration with on-premise Active Directory (AD), UserLock allows administrators to set different access policies across AD users, groups or organizational groups (OUs) in line with least privilege principles. UserLock syncs with AD every 5 minutes, ensuring any changes to AD user and group policies are detected and enforced by UserLock in real time.
UserLock also tracks and audits all user access events across the network, including any access attempts to protected cloud resources. This centralized audit across the whole network gives you 360-degree visibility across who has or is trying to gain access to your network, when, and on what connection type.
In other words, UserLock’s event logs help prove compliance by demonstrating that only authorized users have access to sensitive information, according to the access polices and circumstances required for compliance.
To go one step further, UserLock also allows IT administrators to set granular, contextual access restrictions based on factors like IP address, time, machine, session type, or geolocation.
Geolocation restriction settings:
Time and working hour restrictions:
UserLock also allows admins to limit the number of concurrent sessions allowed.
UserLock can apply customized login restrictions, including limits to the number of unsuccessful login attempts allowed. Any logon attempts that don’t satisfy these conditions are automatically blocked.
UserLock’s real-time monitoring includes a risk indicator, “User status” that shows three levels: high risk, risk, unprotected, protected, or new user. By default, UserLock will consider a user high risk and block the account after 5 denied logons in less than 30 minutes. Administrators can adjust these settings according to organizational security policy.
IT administrators also can review and immediately block any suspect user accounts with just one click. This denies all further logon attempts and closes any existing sessions.
They can also set an automatic forced logoff, on all locked or open machines, after a certain idle time. This includes remote desktop sessions opened by the domain user.
UserLock helps administrators manage and secure remote connections — RD Gateway, RDP, RDWeb, RemoteApp, and VPN — for all users (remote or on-premises). Since administrators can control MFA frequency, UserLock keeps security lightweight for remote workers, ensuring your team strikes a balance between productivity and security.
NIST 800-171 Control | IS Decisions Solution | Feature |
---|---|---|
3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. | UserLock | Enables real-time event logging, auditing, and monitoring of all system access, with the ability to set up alerts and respond to unusual or unauthorized login events. |
3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | UserLock | Creates detailed audit logs and reports of all user login activities, both successful and failed. |
UserLock | Audit and report on all user session events from UserLock’s “Report” dashboard. Create and schedule predefined or custom reports. | |
3.3.3.b Retain audit records for a time period consistent with the records retention policy. | UserLock | Store connection events in a production database (ODBC database (Microsoft Access, SQL Server, MySQL), and retain archived databases as long as required. |
3.3.5.a Review and analyze system audit records [Assignment: organization-defined frequency] for indications and the potential impact of inappropriate or unusual activity. | UserLock | Easily switch between production databases and archived databases for smooth reporting. |
3.3.5.b Report findings to organizational personnel or roles. | UserLock | Schedule and email reports directly from the UserLock console. |
3.3.5.c Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. | UserLock | Install the UserLock API to pull access audit logs into your SOC solution for organization-wide audit record correlation. |
3.3.6.a Implement an audit record reduction and report generation capability that supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents. | UserLock | Audit and report on all access events with powerful filters to pinpoint the information needed and speed up forensic analysis. |
3.3.6.b Preserve the original content and time ordering of audit records. | UserLock | See and filter events using time associated with events. |
3.3.7.a Use internal system clocks to generate time stamps for audit records. | UserLock | View and filter by time stamps for audit records that include data and time. |
3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion. | UserLock | Set granular permission rights for UserLock administrators and control which administrators can make modifications. Track administrator actions and ensure accountability thanks to administrator action reports. |
3.3.9 Limit management of audit logging functionality to a subset of privileged users. | UserLock | Define on UserLock server properties the different user/group accounts authorized to manage UserLock and what they can do. |
UserLock monitors, records and reports on every user connection event and logon attempt to a Windows domain network. UserLock administrators can access detailed and personalized reports to support forensic investigations.
UserLock’s comprehensive event logs and auditing helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise.
UserLock’s MFA event reports provide a complete log of all events related to which users are prompted for MFA upon logon, including details on whether or not MFA was completed successfully or not.
With UserLock, administrators get easy visibility on all multi-factor events from internet or non-internet-facing servers and workstations. Administrators can set up alerts for certain event types, such as MFA denials, or MFA prompts outside of working hours, so they can quickly detect potential threats.
Administrators can create custom reports or choose from report templates currently available in the UserLock dashboard. These reports can be pre-programmed to send automatically from the UserLock dashboard to specified recipients, such as the CIO or ASD.
With UserLock, administrators can also record and report on all privileged access, account, and group management events thanks to a central audit across the whole network. The administrator actions report also allows organizations to quickly see and report on all administrator account actions.
Analyze event logs from internet-facing and non-internet facing servers and workstations.
Administrators can set up alerts for certain event types, such as privileged account access denials, or privileged account logon attempts outside of working hours or from an unusual location, so they can quickly detect potential threats. UserLock also allows admins to block user sessions with one click.
UserLock offers granularity when setting permission rights for privileged users. Access to the different features is split on two privileges, “Read” to display the section information and “Write” which authorizes modifications.
Note that UserLock’s event logs cannot be modified or deleted.
NIST 800-171 Control | IS Decisions Solution | Feature |
---|---|---|
3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. | UserLock | Ensures strong MFA to verify users on-premise Active Directory identity before allowing system access. |
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | UserLock | Enforces MFA for network access on privileged and non-privileged accounts. |
UserLock makes it easy to verify the identity of all Active Directory accounts, whether privileged or non-privileged, and secure access to your network with multifactor authentication (MFA) on Windows logon, RDP and VPN connections.
With UserLock, you can authenticate your Active Directory user accounts’ access to your organization’s sensitive and non-sensitive data stored in cloud apps. UserLock combines MFA and single sign-on (SSO) to authenticate your Active Directory users’ access to online services and applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox, and other SAML-based cloud apps.
Administrators can choose how and when to require MFA.
There are two edit modes available for modifying the MFA settings. Make sure to read the documentation for the use case for each type of session to ensure users will receive an MFA prompt.
All session types at once: By selecting this option, you can apply the same policy for all session types protected by UserLock.
By session type: Select this option to apply different MFA policies for each session type.
You can also apply MFA by connection type.
For each session type, you can choose how often to prompt your users with MFA.
NIST 800-171 3.5.3 requires MFA across both unprivileged and privileged users of network systems, such as Active Directory.
UserLock’s straightforward, effective MFA verifies identity across all Active Directory accounts, whether privileged or non-privileged. This allows your organization to properly apply the principle of least privilege, which is key to lowering security risk as well as a cornerstone of zero trust architecture.