NIST SP 800-171 Revision 2 organizes security requirements into 14 families derived from FIPS 200. Each requirement addresses a specific aspect of protecting Controlled Unclassified Information (CUI).
Technical - Fully automated by smartNOC platform
Hybrid - Platform provides tools, customer defines policy
Organizational - Customer-owned process control
Automated: Logs, metrics, configuration snapshots
Attestation: Signed declarations from platform components
Manual: Process documentation and procedures
Limit system access to authorized users, processes acting on behalf of authorized users, and devices. smartNOC implements access control through mTLS, RBAC, and certificate-based authentication.
| Control ID | Requirement | smartNOC Implementation | Coverage |
|---|---|---|---|
| 3.1.1 | Limit system access to authorized users | Certificate authority-issued x509 certificates with CMDB-driven role mappings. No shared credentials. Certificate revocation on role change. | Technical |
| 3.1.2 | Limit system access to types of transactions and functions | RBAC policies enforced at SELinux, application, and database layers. Service allow-lists defined per role in CMDB. | Technical |
| 3.1.3 | Control the flow of CUI | Network segmentation, TLS-encrypted channels, DNS policy enforcement, database row-level security for CUI tables. | Technical |
| 3.1.5 | Employ principle of least privilege | Default-deny firewall rules, SELinux confined processes, minimal role privileges defined in CMDB, time-limited certificates. | Technical |
| 3.1.12 | Monitor and control remote access sessions | All SSH access logged to immutable audit trail, session timeouts enforced, connection source validation, VPN requirement for external access. | Technical |
| 3.1.20 | Verify and control/limit connections to external systems | External connections require explicit allow-list entries, egress filtering, connection logging, proxy enforcement for outbound HTTP/HTTPS. | Hybrid |
Note: Table shows representative controls. Full 22-control mapping available on request.
Create, protect, and retain system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
| Control ID | Requirement | smartNOC Implementation | Coverage |
|---|---|---|---|
| 3.3.1 | Create and retain system audit logs | SELinux audit daemon, systemd journal, application logs collected and stored in centralized audit database. Retention policy enforced at database level. | Technical |
| 3.3.2 | Ensure actions can be traced to individual users | All actions authenticated via x509 certificate with user/role binding. UID/GID in audit logs, certificate serial in access logs. | Technical |
| 3.3.3 | Review and update logged events | Audit policy managed via Ansible, review workflow in CMDB, automated analysis via analytics engine, anomaly detection triggers review. | Hybrid |
| 3.3.4 | Alert on audit logging process failures | Monitoring agents track audit daemon health, alerts on log shipping failures, disk space monitoring, database connection health checks. | Technical |
| 3.3.8 | Protect audit information and tools from unauthorized access | Audit logs write-only for processes, read-only mounts for log directories, database role separation, log signing via cryptographic hashes. | Technical |
| 3.3.9 | Limit management of audit logging to privileged subset | Audit configuration requires sudo + CMDB approval, audit log access limited to security role, immutable once written to audit database. | Technical |
Establish and maintain baseline configurations and inventories of organizational systems throughout the system development life cycles.
| Control ID | Requirement | smartNOC Implementation | Coverage |
|---|---|---|---|
| 3.4.1 | Establish and maintain baseline configurations | smartBASE provides signed, immutable base images. Role definitions in CMDB define approved configurations. Build pipeline ensures reproducibility. | Technical |
| 3.4.2 | Establish and enforce security configuration settings | SELinux enforcing mode, sysctl hardening, service allow-lists, firewall rules, all codified in Ansible playbooks and validated by Doghouse. | Technical |
| 3.4.3 | Track, review, approve, and audit changes | All changes via CMDB approval workflow, git commit history for code, package updates logged, configuration drift detection by monitoring agents. | Technical |
| 3.4.6 | Employ principle of least functionality | Minimal package sets in smartBASE, service allow-lists, disabled unnecessary systemd units, SELinux denies undefined behaviors. | Technical |
| 3.4.8 | Apply deny-by-default, allow-by-exception policy | Firewall default DROP, SELinux denying undefined types, application-level allow-lists, explicit service registration required. | Technical |
Monitor, control, and protect communications at external boundaries and key internal boundaries. Employ architectural designs, development techniques, and systems engineering principles.
| Control ID | Requirement | smartNOC Implementation | Coverage |
|---|---|---|---|
| 3.13.1 | Monitor and control communications at external boundaries | Firewall at network edge, ingress/egress logging, VPN requirement for external access, DNS rate limiting and policy enforcement. | Technical |
| 3.13.2 | Employ architectural designs to segregate network | VLAN segmentation, SELinux network labeling, service-specific subnets, internal firewalls between security zones. | Hybrid |
| 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure | TLS 1.3 for all services, encrypted message bus connections, LUKS disk encryption, encrypted backups, FIPS modules available. | Technical |
| 3.13.10 | Establish and manage cryptographic keys | Certificate authority for internal certificates, automated rotation, secure key storage, certificate lifecycle management. | Technical |
| 3.13.11 | Employ FIPS-validated cryptography | FIPS 140-2 OpenSSL modules available, configuration option for FIPS mode, validated cipher suites only. | Hybrid |
| 3.13.16 | Protect confidentiality of CUI at rest | LUKS full-disk encryption, encrypted database columns for sensitive fields, encrypted backup storage, secure key management. | Technical |
Identify, report, and correct system flaws in a timely manner. Provide protection from malicious code. Monitor system security alerts and advisories.
| Control ID | Requirement | smartNOC Implementation | Coverage |
|---|---|---|---|
| 3.14.1 | Identify, report, and correct system flaws | Automated vulnerability scanning, package update notifications, Doghouse validation testing, remediation workflow via CMDB. | Technical |
| 3.14.2 | Provide protection from malicious code | Package signature validation, SELinux mandatory access control, process allow-lists via monitoring agents, behavioral anomaly detection. | Technical |
| 3.14.3 | Monitor system security alerts and advisories | Debian security mailing list integration, CVE tracking for installed packages, automated notification to security team. | Hybrid |
| 3.14.6 | Monitor organizational systems including inbound and outbound traffic | Monitoring agents track process execution and resource usage, network flow logging, message bus inspection, database query logging. | Technical |
| 3.14.7 | Identify unauthorized use of organizational systems | Anomaly detection, unauthorized process alerting, SELinux AVC denials, unusual access pattern detection by analytics engine. | Technical |
For each control, smartNOC provides automated evidence collection:
- → Signed base image manifests
- → CMDB role definitions
- → Ansible playbook snapshots
- → SELinux policy modules
- → Network configuration exports
- → SELinux audit logs
- → Monitoring metrics and alerts
- → Access logs (SSH, HTTP, database)
- → Certificate issuance records
- → Process execution history
- → Doghouse test reports
- → Vulnerability scan results
- → Configuration drift detection
- → Compliance check outcomes
- → Remediation proof
Some 800-171 requirements are organizational in nature and require customer-defined policies. smartNOC provides the technical infrastructure to enforce these policies once defined:
- → Personnel Security (PS): Background checks, security awareness training—customer HR process, enforced via CMDB role provisioning
- → Physical Protection (PE): Datacenter access controls—customer or provider responsibility, tracked via CMDB asset management
- → Incident Response (IR): IR plan and procedures—customer-owned document, execution supported by monitoring alerting and evidence preservation
- → Risk Assessment (RA): Risk assessment methodology—customer-defined, supported by automated vulnerability data from platform
We provide templates, workflows, and integration points to streamline these organizational controls.
This page shows representative controls from key families. The complete 110-control mapping includes:
- → Detailed technical implementation for each requirement
- → Evidence collection mechanisms and retention periods
- → Audit query examples
- → Customer responsibilities and templates
- → Cross-reference to CMMC and FedRAMP controls