• Ignyte CMMC Specialist


Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations

Safeguarding Controlled Unclassified Information (CUI) when working with a federal customer is critical to federal agencies and can directly impact your business. NIST SP 800-171 provides recommended minimal controls for protecting CUI. The requirements apply to all of the non-federal systems that process, store, or transmit CUI, or provide security protection for such components.

Requirements are specifically broken out into "Families" with sub-requirements underneath each family.

Identification and Authentication

3.5.1 Identify information system users, processes acting on behalf of users, or devices.

Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers.

NIST Special Publication 800-63 provides guidance on digital identities.

3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Individual authenticators include:

  • Passwords

  • Key cards

  • Cryptographic devices

  • One-time password devices.

Default authentication credentials are often well known, easily discoverable, and present a significant security risk.

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including

  • Minimum password length

  • Validation time window for time synchronous one-time tokens

  • Number of allowed rejections during the verification stage of biometric authentication.

NIST Special Publication 800-63 provides guidance on digital identities.

3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Multifactor authentication requires the use of two or more different factors to authenticate.

The factors are defined as:

  • Something you know (password, personal identification number [PIN])

  • Something you have (cryptographic identification device, token)

  • Something you are (biometric).

Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks.

Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses).

Remote access is a type of network access that involves communication through external networks.

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information traversing the network.

NIST Special Publication 800-63 provides guidance on digital identities.

3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages.

NIST Special Publication 800-63 provides guidance on digital identities.

3.5.5 Prevent reuse of identifiers for a defined period.

Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

3.5.6 Disable identifiers after a defined period of inactivity.

Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices.

3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.

The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password.

To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.

3.5.8 Prohibit password reuse for a specified number of generations.

Password lifetime restrictions do not apply to temporary passwords

3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.

Changing temporary passwords to permanent passwords:

  • Ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity

  • Reduces the susceptibility to authenticator compromises.

3.5.10 Store and transmit only encrypted representation of passwords.

Cryptographically-protected passwords include salted one-way cryptographic hashes of passwords.

See NIST Cryptographic Standards.

3.5.11 Obscure feedback of authentication information.

The feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms.

Therefore, the means for obscuring the authenticator feedback is selected accordingly.

Obscuring authenticator feedback includes:

  • Displaying asterisks when users type passwords into input devices

  • Displaying feedback for a very limited time before fully obscuring it

For further Information and Demo, please contact us:

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest | 1.833.IGNYTE1 


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.