NIST Compliance

Compliance: NIST 800-171

The National Institute of Standards and Technology (NIST) Special Publication 800-171 is an important set of guidelines that aims to ensure the safety and confidentiality of sensitive federal data. Any organization that stores, processes, or transmits CUI for the Department of Defense, NASA, and any federal or state agency must be in compliance with NIST 800-171.

Here is a detailed look at how Endpoint Central MSP helps to achieve NIST 800-171

S.No Requirement Description How Endpoint Central MSP fulfills it?

Access Control


Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Create local users and add them to a suitable group to provide them proper scope for systems using Endpoint Central MSP’s user management configuration.


Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Create local users and add them to a suitable group to provide them with proper scopefor systems using Endpoint Central MSP’s user management configuration.


Employ the principle of least privilege, including for specific security functions and privileged accounts.

Using the Privileged Access Management solution, privileged user activity can be supervised with session shadowing capabilities and dual control on privileged access can be achieved. Local user accounts can be managed using user management configurations under Endpoint Central MSP.


Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Create local users and add them to a suitable group to provide them proper scope for systems using Endpoint Central MSP’s user management configuration.

Endpoint Central MSP has access to all systems’ Event Viewer to monitor the activities performed in each system. You can provide various category-based filters to monitor the required activities.


Limit unsuccessful logon attempts.

Deploy scripts that limit the number of logon attempts to all endpoints from a centralized console with Endpoint Central MSP’s custom script configuration.


Provide privacy and security notices consistent with applicable CUI rules.

Endpoint Central MSP's Legal Notice configuration enables you to display important announcements and legal notices throughout the enterprise. The configured message will be displayed whenever the user presses ctrl+alt+del to login.


Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Force the screen to sleep or hibernate after a specified duration of inactivity with Endpoint Central MSP’s power management configuration. You can also configure whether the password should be required after sleep or not.


Monitor and control remote access sessions.

Block outbound remote control ports for specified users or computers using Endpoint Central MSP’s firewall configuration to prevent unprivileged remote sessions.


Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Remote Control feature of Endpoint Central MSP is supported in HTTPS to protect the confidentiality of remote access sessions.


Authorize remote execution of privileged commands and remote access to security-relevant information.

Deploy privileged commands to multiple computers and control systems' displays remotely from Endpoint Central MSP’s centralized console.


Control connection of mobile devices.

Prevent unauthorized mobile devices from connecting to your organization’s network with Endpoint Central MSP’s SCEP certificate distribution feature.

Deploy profiles to all mobile devices based on their platform to restrict mobile device usage including anonymous activities on them.


Encrypt CUI on mobile devices and mobile computing platforms.

Containerize CUI on mobile devices using Endpoint Central MSP’s mobile device management capabilities. If any malicious activity, like data theft, is discovered, the device can be wiped remotely. Endpoint Central MSP also provides the option to secure devices with passwords that adhere to predefined complexity requirements.


Verify and control/limit connections to and use of external systems.

Endpoint Central MSP provides features to restrict the usage of USB devices. By assigning strict device policies, you can instantly identify the devices connected to your endpoints.

3.1.21 Limit use of portable storage devices on external systems.

Endpoint Central MSP provides features to restrict the usage of USB devices and other portable storage devices to prevent theft of the CUI stored in systems.


Control CUI posted or processed on publicly accessible systems.

Restrict users from publicly posting CUI via a browser by blacklisting websites or website groups with Endpoint Central MSP’s browser management add-on.

Endpoint Central MSP helps to authorize only approved software to run in your publicly accessible systems. It helps block/unblock removable storage devices in publicly accessible systems, keeping your organization's systems secure.


Audit & accountability



Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Endpoint Central MSP has access to all systems’ Event Viewer to monitor the activities performed in each system. You can also provide various category-based filters to monitor the required activities.


Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Endpoint Central MSP provides User Log on Report to track the user login and logoff history in the managed endpoints.
The actions performed by the admin and technicians in the web-console of the product is logged for better auditing.


Review and update logged events.

Endpoint Central MSP has access to all systems’ Event Viewer to monitor the activities performed in each system. You can also provide various category-based filters to monitor the required activities.


Configuration Management



Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Endpoint Central MSP can maintain an inventory of organizational systems, including hardware and software. You can deploy a baseline configuration to systems using Endpoint Central MSP.


Establish and enforce security configuration settings for information technology products employed in organizational systems.

Deploy security policies in endpoints with Endpoint Central MSP’s security policy configuration.

Blacklist or whitelist applications and stand-alone EXEs with Endpoint Central MSP to prevent unauthorized applications from performing malicious activities.

Secure browser usage in your organization’s systems using Endpoint Central MSP ’s browser management add-on.


Track, review, approve or disapprove, and log changes to organizational systems.

All hardware and software changes are tracked on time. Endpoint Central MSP also tracks patches and software updates. You can remediate those changes by deploying configurations.


Analyze the security impact of changes prior to implementation.

Using the 'Test and Approve' feature under Patch Management provided by Endpoint Central MSP enables you to view the compatibility of the patch update with the systems in the network prior deployment of the patches. Endpoint Central MSP provides the feature test deployment for specific targets for other modules like configurations and software deployment.


Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational system.

Enforce logical restrictions catering to your needs using the various User Configurations settings found under Endpoint Central MSP's configuration module.


Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Blacklist or whitelist applications and stand-alone EXEs to prevent unauthorized applications from performing malicious activities using Endpoint Central MSP.

Block or allow specific ports in both inbound and outbound connections with Endpoint Central MSP’s firewall configuration.

Delete unapproved services from all machines using Endpoint Central MSP’s service configuration.

Restrict the use of portable storage devices and Bluetooth with Endpoint Central MSP to avoid theft of CUI stored in machines.


Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Blacklist or whitelist applications across your organization or only for a specific group with Endpoint Central MSP.


Control and monitor user-installed software.

Endpoint Central MSP provides you with a Self-Service Portal that allows you to publish software to the target users/computers. Unlike manual software deployment, you can publish the list of software to the group (target users/computers). You can empower the users to install software based on their needs. It also provides a blacklisting feature which enables you to associate an application blacklist with different custom groups while keeping in consideration a user’s role in the enterprise.


Identification & Authentication



Identify system users, processes acting on behalf of users, and devices.


Endpoint Central MSP's System Manager enables administrators to perform various system management tasks. For example, viewing the list of users of the managed computers. The list of devices associated to each computer and the choice to enable/disable the drivers related to the devices is also provided by Endpoint Central MSP.

System users, processes and services running in the machines can be identified and viewed using Endpoint Central MSP. Common device identifiers like MAC and IP are available.

Custom fields can be added and the endpoints can be marked with different identifiers according to your requirement.


Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.

The list containing the users of the managed computers and the list of devices associated to them is accessible under Tools>System Manager. System manager also provides a list of running processes on systems which can be killed or managed as required. Privileged access can be enabled using MDM and Application Control modules.


Enforce a minimum password complexity and change of characters when new passwords are created.

Enforce password complexity using a custom script in Endpoint Central MSP.


Allow temporary password use for system logons with an immediate change to a permanent password.

The User Management Configuration of Endpoint Central MSP allows you to define the scope of a user and specify a username and password.





Perform maintenance on organizational systems.

Endpoint Central MSP offers configurations that help you manage applications, system settings, desktop settings, and security policies. Endpoint Central MSP also offers a wide range of tools with which you can perform a variety of operations while troubleshooting for maintaining the organizational systems.


Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Endpoint Central MSP provides multi factor authentication using two factor authentication. When two-factor authentication is enabled, users will be prompted to enter the One Time Password (OTP) along with their default password. Endpoint Central MSP supports two-factor authentication in two modes, using email and Google authenticator. The Remote Desktop Sharing feature in Endpoint Central MSP enables you to access remote computers in a network which can be used for non-local maintenance purposes.


Supervise the maintenance activities of maintenance personnel without required access authorization.

Utilize Endpoint Central MSP's remote control, with a view-only mode option, to supervise maintenance personnel’s activity on endpoints.


Media protection



Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Restrict the use of removable storage media using Endpoint Central MSP.


Limit access to CUI on system media to authorized users.

Control, block and monitor USB and peripheral devices using Endpoint Central MSP. The Drive Mapping configuration under Endpoint Central MSP enables you to map a remote network resource to the user machines and eases the process..


Sanitize or destroy system media containing CUI before disposal or release for reuse.

Delete files that contain CUI from your organization’s systems with Endpoint Central MSP’s file folder operation.


Personnel security



Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Remotely wipe systems in case of personnel terminations and transfers with Endpoint Central’s remote wipe capability. Before wiping the data, you can back up the folder using the product’s folder backup configuration. You can also move those backup files to the secured systems repository using the file folder configuration.


Risk Assessment



Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Each Endpoint Central module has predefined reporting functionalities so you can audit information related to your organization’s systems, which helps to take further actions to strengthen the security of CUI. You can fetch the status of your systems with the security add-on and provide this information as built-in reports. After reviewing the status of the systems’ security health, you can perform the necessary actions right from the reports.


Security Assessment



Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Each of Endpoint Central's modules offer predefined reporting to help audit information related to organizational systems, which helps you take further actions to strength the security of CUI. You can fetch the status of your organization’s systems and provide this information as built-in reports with the security add-on. Review the status of your systems’ security health and perform the necessary actions right from the reports.


Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Identify vulnerabilities with periodic scanning and correct deficiencies by deploying missing patches to systems using Endpoint Central’s patching capability. Endpoint Central's Vulnerability Manager Plus add-on finds security misconfigurations in your organization’s systems and allows you to remediate them in bulk through a centralized console.


Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The data about the security status of the endpoints managed in your network is provided by Endpoint Central which can aid you in monitoring and ensuring that there is no loss of effectiveness of the controls over time.


System & communication



Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Endpoint Central's firewall configuration helps you block or allow inbound or outbound communications on systems using specified ports. This helps minimize attacks through anonymous ports.


Prevent unauthorized and unintended information transfer via shared system resources.

Endpoint Central provides data access control information, including the folders that are shared with various permission levels. Permission management helps revoke permissions for those folders.


Protect the confidentiality of CUI at rest.

Endpoint Central provides information on which folders are shared with what level of permissions. This data access control information helps mitigate the risk of CUI being shared with full or write-level permission.

Encrypt your systems’ hard disks with Endpoint Central’s Bitlocker add-on to ensure the CUI stored on those systems is secure.


System and information integrity



Identify, report, and correct system flaws in a timely manner.

Identify systems with security misconfigurations and missing patches, service packs, and antivirus definition updates with Endpoint Central’s vulnerability scanning, and remediate these flaws from a centralized console.


Monitor system security alerts and advisories and take actions in response.

Endpoint Central provides event logs (classified as errors, information messages and warnings) which help in auditing and troubleshooting. Using the vulnerability module gives you an assessment of the security posture of the managed endpoints.


Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Block or allow inbound and outbound connections on systems with Endpoint Central’s firewall configuration; this helps minimize attacks through anonymous ports.


Identify unauthorized use of organizational systems.

Track the use of USB devices on each system using Endpoint Central’s USB audit feature. Detect systems that contain unapproved applications and uninstall that software using Endpoint Central.

Remote Desktop & Mobile Device Management Software for MSPs trusted by