COMPLIANCE > NIST SP 800-171
17
control families covering
CUI security requirements97
streamlined security
requirements in Revision 33
new families added in Rev 3 —
Planning, SSA, Supply Chain RMMay 2024
NIST SP 800-171 Revision 3
modernized release
Published by the National Institute of Standards and Technology, SP 800-171 sets the security baseline that nonfederal organizations must apply when handling Controlled Unclassified Information (CUI) for the U.S. federal government. It anchors DFARS clause 252.204-7012, underpins Level 2 of the CMMC program, and was modernized by Revision 3 (May 14, 2024), which aligns the framework with NIST SP 800-53 Rev 5, consolidates 110 controls into 97 streamlined requirements, and adds three new families covering Planning, System and Services Acquisition, and Supply Chain Risk Management.
Endpoint Central operationalizes these safeguards across access control, configuration management, vulnerability remediation, CUI protection, and audit reporting from a single unified console, giving DoD contractors, federal suppliers, and research institutions a continuously refreshed source of audit-ready evidence.
- Why Endpoint Central
- Key Requirements
- Controls mapping
- Deadlines & Penalties
- Success Stories
Why Endpoint Central is essential for NIST SP 800-171
- Asset Visibility & Vulnerability Management
- Granular Access & Identity Controls
- Comprehensive Data Protection
Continuous discovery and inventory of every hardware and software asset across your network, including roaming and off-network devices. Built-in vulnerability assessment scans endpoints for missing patches, zero-day exposures, and high-risk software, with automated remediation through Automated Patch Deployment (APD) for first-party and third-party applications.
Enforce least-privilege access with endpoint privilege management, just-in-time elevation, and conditional access policies. Role-based access control and multi-factor authentication on the Endpoint Central console reduce the risk of internal exposure.
Endpoint Central's Data Loss Prevention discovers and classifies personal data across endpoints, then enforces policies restricting transfers via email, cloud, clipboard, and peripheral devices. BitLocker for Windows, FileVault for macOS, and native MDM encryption for Android and iOS secure personal data at rest.
Key Requirement Families in NIST SP 800-171
- Access Control & Authentication: Restrict access to CUI through authentication, role-based access, and endpoint security policies.
- Audit & Accountability: Maintain audit-ready records through endpoint monitoring, reporting, and compliance tracking.
- Configuration Management: Enforce secure configurations, patch management, and hardened endpoint settings.
- Risk Assessment & Incident Response: Identify vulnerabilities, detect threats, and support rapid remediation and recovery.
- System & Communications Protection: Protect CUI through encryption, firewall management, and secure communications.
- Supply Chain & Security Planning: Support security planning, software visibility, and operational risk management across endpoints.
Endpoint Central mapping to NIST SP 800-171
We have mapped Endpoint Central capabilities to the security requirement families defined in NIST SP 800-171 to help organizations protect Controlled Unclassified Information (CUI). This mapping illustrates how Endpoint Central supports secure configuration management, audit controls, vulnerability remediation, access management, and incident response workflows.
| Requirement | Requirement Description | How Endpoint Central fulfills it |
|---|---|---|
03.01 Access Control | ||
3.1.1, 3.1.2, 3.1.5, 3.1.7 | Limit system access to authorized users, processes and devices. Enforce least privilege and prevent non-privileged users from running privileged functions. | Scope local users into role-based groups with user management, gate every device with conditional access, and strip standing admin rights through privilege management with Just-in-Time elevation. |
3.1.8, 3.1.9, 3.1.10 | Limit failed logon attempts, display CUI privacy notices, and lock sessions after inactivity. | Push account lockout policies, Legal Notice banners, and power management session-lock rules to every endpoint from one console. |
3.1.12, 3.1.13, 3.1.15 | Monitor remote access, encrypt remote sessions, and authorize remote execution of privileged commands. | Endpoint Central's Remote Control runs over HTTPS with 256-bit AES (and can operate in FIPS 140-2 mode); firewall configuration blocks unsanctioned outbound channels. |
3.1.18 to 3.1.22 | Control mobile devices, encrypt CUI on mobile, restrict portable storage and external systems, and govern CUI on public-facing endpoints. | SCEP-based MDM enrollment, BitLocker/FileVault/MDM encryption, Device Control Plus USB policies, and browser security URL filtering shut down every common CUI exfil path. |
03.03 Audit and Accountability | ||
3.3.1, 3.3.2, 3.3.3 | Create, retain and review system audit logs; uniquely trace user actions; and review logged events. | Centralize every endpoint's Event Viewer with category-based filters, track user logon and console activity through built-in reports, and stream to EventLog Analyzer, Splunk, or Rapid7 for long-term review. |
03.04 Configuration Management | ||
3.4.1, 3.4.2, 3.4.3, 3.4.4 | Establish baseline configurations and inventories, enforce hardened settings, track changes, and assess impact before deployment. | IT asset management maintains live inventories, security configuration management enforces hardened baselines, and Test and Approve validates patches on a pilot group before broad rollout. |
3.4.6, 3.4.7, 3.4.8, 3.4.9 | Enforce least functionality, restrict nonessential ports and services, allowlist authorized software, and monitor user-installed apps. | Application Control Plus handles enterprise-wide allowlisting and blocklisting, firewall configuration kills unused ports, and the Self-Service Portal keeps approved software shipping without shadow IT. |
03.05 Identification and Authentication | ||
3.5.1, 3.5.2, 3.5.3, 3.5.7 | Uniquely identify users, processes and devices; authenticate before access; require MFA for privileged accounts; enforce password complexity. | System Manager surfaces every user, process, and device identifier; two-factor authentication protects console access; and password policy deployment enforces complexity across endpoints. |
03.07 Maintenance | ||
3.7.1, 3.7.4, 3.7.5, 3.7.6 | Perform system maintenance, scan diagnostic media for malware, require MFA for non-local maintenance, and supervise unauthorized personnel. | Next-gen antivirus scans new media on insert, MFA gates console-led remote maintenance, and Remote Control's view-only mode supervises every unescorted session. |
03.08 Media Protection | ||
3.8.1, 3.8.2, 3.8.3, 3.8.5, 3.8.7 | Protect CUI on physical and digital media, limit access, sanitize before disposal, control transport, and lock down removable media. | Device Control Plus enforces USB policies with file tracing and shadowing; file/folder operations sanitize CUI; remote wipe handles end-of-life devices. |
3.8.9 | Protect the confidentiality of CUI backups at storage locations. | BitLocker Management for Windows and FileVault for macOS encrypt every disk that stores backup CUI. |
03.09 Personnel Security | ||
3.9.2 | Protect organizational systems containing CUI during and after personnel terminations and transfers. | Trigger remote wipe, back up CUI to a secure repository, and revoke console access through role-based administration the moment HR flags a separation. |
03.11 Risk Assessment | ||
3.11.1, 3.11.2, 3.11.3 | Assess organizational risk continuously, scan for vulnerabilities, and remediate per the risk ranking. | Vulnerability Manager runs continuous CVSS-prioritized scans and pushes one-click remediation through automated patch and configuration deployment. |
03.12 Security Assessment and Monitoring | ||
3.12.1, 3.12.2, 3.12.3 | Assess control effectiveness, build plans of action for deficiencies, and monitor controls continuously. | TheDPO Dashboard and module-level reports give you real-time evidence of BitLocker, patch, firewall, and DLP posture, ready to hand to an assessor. |
03.13 System and Communications Protection | ||
3.13.1, 3.13.4, 3.13.8, 3.13.11, 3.13.16 | Protect boundary communications, prevent unintended information transfer, use FIPS-validated cryptography, and protect CUI at rest. | Firewall configuration plus port audits shut down exposed channels; FIPS 140-2 mode plus BitLocker, FileVault, and MDM encryption keep CUI encrypted everywhere it lives. |
03.14 System and Information Integrity | ||
3.14.1, 3.14.2, 3.14.3, 3.14.4 | Identify and correct flaws, protect against malicious code, monitor security alerts, and keep protection mechanisms current. | Continuous patching and next-gen antivirus with AI-assisted behavior analytics, tamper protection, and auto-updating engines close the malware and flaw gaps in one stack. |
3.14.6, 3.14.7 | Monitor traffic for attack indicators and identify unauthorized system use. | Anti-ransomware behavioral detection plus USB audit and unapproved-software reports surface unauthorized activity instantly; isolate or quarantine endpoints from the same console. |
03.15 Planning (new in Rev 3) | ||
3.15.1, 3.15.2 | Develop and maintain a System Security Plan and rules of behavior for handling CUI. | Live inventories, configuration baselines, role assignments, and compliance reports feed your SSP directly; Legal Notice banners and MDM content distribution operationalize your rules of behavior. |
03.16 System and Services Acquisition (new in Rev 3) | ||
3.16.1, 3.16.2 | Apply acquisition controls to systems and services; hold external providers to your security requirements. | Software inventory, license management, and prohibited-software policies govern what enters the environment; role-based admin and console audit trails keep MSP partners accountable. |
03.17 Supply Chain Risk Management (new in Rev 3) | ||
3.17.1, 3.17.2, 3.17.3 | Build a supply chain risk plan, assess critical suppliers, and use procurement to mitigate supply chain risk. | Hardware and software inventories give you a continuous bill-of-materials view; end-of-life software audits flag risky vendors; application allowlisting blocks unsanctioned tools at the door. |
Penalties & Enforcement
NIST SP 800-171 compliance is mandatory for organizations that store, process, or transmit Controlled Unclassified Information (CUI) for U.S. federal agencies and Department of Defense (DoD) contracts. The framework forms the foundation of CMMC 2.0 Level 2 requirements for defense contractors handling CUI.
Failure to comply can result in loss of federal contracts, contract termination, failed CMMC assessments, reputational damage, and potential legal liability for misrepresenting cybersecurity compliance. Endpoint Central helps organizations strengthen their NIST SP 800-171 and CMMC readiness through centralized endpoint security, vulnerability remediation, compliance monitoring, access control, and audit-ready reporting.
Endpoint Central helps in achieving the following compliances
CIS
FERPA
NIST 800-171
UK CYBER ESSENTIALS
NCA
ISO 27001
PCI DSS
NIST 2.0 CSF
HIPAA
DORA
GDPR
NIS2
RBI
Essential 8
Recommended reads
Real Stories, Real Impact: Endpoint Central and Compliance
"Endpoint Central has allowed us to move towards our goal of a centralized application to cover off IT support activities. The deployment was really simple with no real issues. We use it mainly for the integration with ServiceDesk Plus and the reports it provide for our ISO implementation"
Talk to Us About Your Compliance Needs
Feel free to connect with our experts to address your specific queries and discover how Endpoint Central can assist you in meeting NIST SP 800-171 requirements.
