• Ignyte CMMC Specialist

NIST 800-171 | Access Control

Access control is the broadest and the most technical family of NIST controls. This blog covers the basics of access management interpretation of NIST.

Access controls apply to almost all aspects of information technology deployed within a CUI environment such as firewalls, databases, servers and other technology. Controlling permissions, users, and flow of data is a critical part of implementing proper access control and access management.

Family: Access Control

3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations.

3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.

3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

3.1.8 Limit unsuccessful logon attempts.

3.1.9 Provide privacy and security notices consistent with applicable CUI rules.

3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.

3.1.11 Terminate (automatically) a user session after a defined condition.

3.1.12 Monitor and control remote access sessions.

3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

3.1.14 Route remote access via managed access control points.

3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.

3.1.16 Authorize wireless access prior to allowing such connections.

3.1.17 Protect wireless access using authentication and encryption.

3.1.18 Control connection of mobile devices.

3.1.19 Encrypt CUI on mobile devices.

3.1.20Verify and control/limit connections to and use of external information systems.

3.1.21 Limit use of organizational portable storage devices on external information systems.

3.1.22 Control information posted or processed on publicly accessible information systems.

Informational Links

  • For more information regarding these 22 access controls, please visit page 11 in the publication found on

  • SP 800-77 and SP 800-113 provide guidance on secure remote access and virtual private networks.

  • SP 800-97 provides guidance on secure wireless networks.

  • SP 800-124 provides guidance on mobile device security

For further Information and Demo, please contact us:

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest | 1.833.IGNYTE1 


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.