List of NIST access control requirements

Ayush Saxena

Ayush Saxena

Apr 06, 2024

Ensuring adequate security of information systems is a fundamental management responsibility for every organization. Every organization that deals with financial, safety, privacy, or defense implements some form of access (authorization) control. 

Although some systems grant complete access after successful authentication of the user, most systems nowadays require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control also considers how authorizations are structured. 

In certain cases, authorization may mirror the structure of the company, while in others, it may depend on the sensitivity level of various documents i.e according to the clearance level of the user accessing those documents.

How are access controls related to NIST? What are the requirements laid down by NIST with respect to access controls? Why are NIST access controls required? What are the best practices to implement NIST access controls? This article answers all these questions.

What are NIST access controls?

NIST access controls are a set of processes and/or procedures, generally automated, which enables access to a controlled area or allows control of information in accordance with pre-established policies and rules laid down by National Institute of Standards and Technology (NIST).

Access Control regulates access to Controlled Unclassified Information (CUI) and the systems and networks that store or process CUI are limited, defined, and controlled. To ensure the appropriate level of access to information, this family governs:

  • Who has access to the organization’s scoped environment 
  • Methods used to  access the scoped environment (phone, VPN, wireless, etc.)
  • Defines role-based access. 

Access control works to monitor and limit access to secure systems, assets, and services. The rules that govern this access must be defined with specific procedures and policies that, in synchronicity with appropriate technical implementations, create and implement a comprehensive access control system. 

Why are NIST access controls required?

NIST access controls are required to ensure the right personnel are authorized to access the right resources at the right time, and is mandatory for federal agencies to fulfill the requirements of the FISMA.

Identity and Access Management is a critical and fundamental cybersecurity capability. Simply put, with its focus on applied and foundational research and standards, NIST seeks to ensure the right personnel are authorized to access the right resources at the right time.

Access controls safeguard information systems against a range of risks. They provide security and privacy controls to protect the privacy of users as well as safeguard the ongoing operation of information systems. 

Implementation of access controls under NIST is mandatory for federal agencies to fulfill the requirements of the FISMA or Federal Information Security Modernization Act. 

Access controls are tailored to achieve a consistent level of security across federal information systems. These controls strengthen the integrity of information systems when properly implemented and protect user data from being stolen.

List of NIST access control requirements

Access Control under NIST 800-171 Compliance are constituted by 2 Basic Requirements and 20 Derived Requirements.

Let us take a look at the specific requirements to achieve NIST 800-171 and adequate access controls needed for the same.

NIST Access Control Basic Security Requirements

The Basic Requirements for each NIST SP 800-171 Requirement Family establishes its overall focus or aim. All Families constitute at least one. The first Family under access control comprises two:

  • 3.1.1 – Limit access to systems to only authorized users, devices, or processes.
  • 3.1.2 – Limit access to systems to only applications that authorized users may execute.

NIST SP 800-171 is a flexible framework with various methods for satisfying them. Best practices for these two include role-based or access-based policies for 3.1.1 and various definitional choices for access privileges for 3.1.2. Implementing robust identity and access management (IAM), in addition to Derived Requirements, can meet or exceed these requirements.

Want to place access controls and define role-based across the org and at the entity level, all from a single dashboard. Get in touch with us now!

NIST Access Control Derived Security Requirements

Derived Security Requirements are part of most NIST SP 800-171 Families, which break down more complex and specific controls companies should implement. With 20 Derived Requirements, Access Control constitutes the most robust family. These requirements are as follows:

  • 3.1.3 – Flow of Controlled Unclassified Information (CUI) is controlled through approval.
  • 3.1.4 – To avoid harmful, non-collusive actions, logically separate individuals’ duties.
  • 3.1.5 – For all accounts, employ the “least privilege” principle (including privileged ones).
  • 3.1.6 – For all functions that do not need privileges, utilize non-privileged accounts.
  • 3.1.7 – Users without privileges should be prevented from executing privileged functions; capture any non-privileged execution in security audit logs of privileged functions.
  • 3.1.8 – The user’s attempts to log in unsuccessfully should be limited.
  • 3.1.9 – Notify stakeholders of security and privacy rights as per applicable CUI rules.
  • 3.1.10 – Utilize pattern-hiding displays and session locks after periods of inactivity.
  • 3.1.11 – Define certain conditions upon which access sessions are terminated automatically.
  • 3.1.12 –  Tightly control and closely monitor all access sessions conducted remotely.
  • 3.1.13 – Safeguard the confidentiality of remote access sessions by utilizing cryptographic keys.
  • 3.1.14 – Access control points should be utilized to route all remote access sessions.
  • 3.1.15 – Authorize all remote access of privileged commands and security-relevant data.
  • 3.1.16 – Before enabling wireless connections, authorize all wireless access privileges.
  • 3.1.17 – Utilize encryption and authentication to safeguard all wireless access sessions.
  • 3.1.18 – All mobile device connections to networks should be controlled, containing sensitive data.
  • 3.1.19 – Encrypt all CUI for processing on any computing platform or mobile device.
  • 3.1.20 –  Control and verify the variety and amount of connections to external systems.
  • 3.1.21 – The overall usage of all portable devices should be limited that are connected to external systems.
  • 3.1.22 – Tightly control all processing or posting of CUI on publicly accessible systems.

NIST access and security control best practices

The latest version of NIST access controls, which is a significant step forward, shares cybersecurity guidance on the framework’s next generation. Organizations can use these guidelines to strengthen their cybersecurity posture.

The guidelines and best practices for NIST access controls are:

Making the security and access controls more result-oriented 

The earlier versions of NIST were more organization-based i.e., framing controls as per responsibility and focusing on longer-term and broader effects on the organization, prescribing a specific entity or mechanism for satisfying the controls. The latest revision shifts the focus towards “control objectives”. It focuses on measuring and evaluating results and describing the outcome of the control.

For example, Privileged Access Management for user accounts, with Multi-Factor Authentication (MFA) reduces unauthorized access. The outcome evaluated would be the reduction in the successful number of unauthorized login attempts.

Fully integrating privacy and access controls into the security control catalog. 

A consolidated and unified set of controls must be created for organizations and information systems, while mapping tables and providing a summary for privacy-related controls.

Segregating the control selection process from the actual controls. 

Organizations can ensure that their security controls, by separating these two stages, such as MFA, Privileged Access Management, and others, are tailored to their specific needs. It enables for a more risk-based and flexible approach to security, allowing companies to focus on controls that significantly impact their security posture while aligning with their unique business and risk appetite goals.

Periodic reviews and updates of security and access controls.

Adapt to evolving threats and changes with periodic reviews and updates of security controls in the organization’s environment. This adaptation occurs without repeating the entire control selection process again. It promotes responsiveness and agility in maintaining an effective cybersecurity posture.

How do NIST access controls map to CMMC access controls?

Companies will soon need to adopt the Cybersecurity Model Maturity Certification (CMMC) framework that is currently compliant with NIST and DFARS regulations. The CMMC compiles controls from NIST SP 800-171, DFARS, and other regulations into a unified, streamlined system. It allows for a gradual implementation of its 171 Practices across its five Maturity Levels.

With the first one titled Access Control (AC), the CMMC has 17 Domains that correspond to NIST’s Requirement Families. The AC Controls across CMMC Maturity Levels are:

  • CMMC Level 1 AC – Four AC controls make up the “basic cyber hygiene,” in conjunction with the other 13 Level 1 Practices—All processes should be implemented but not measured.
  • CMMC Level 2 AC – Ten AC controls make up the “intermediate cyber hygiene,” in conjunction with the other 45 Level 2 Practices—all processes should be formally documented.
  • CMMC Level 3 AC – Eight AC controls make up the “good cyber hygiene,” in conjunction with the other 50 Level 3 Practices—all processes should be managed actively.
  • CMMC Level 4 AC – Three AC controls make up the “proactive” security, in conjunction with the other 23 Level 4 Practices—All processes should be regularly reviewed.
  • CMMC Level 5 AC – One AC control makes up the “advanced / progressive” security, in conjunction with the other 14 Level 5 Practices—all Processes should be optimized.

The 26 AC controls in CMMC correlate to 22 controls under NIST, while offering additional safeguards for advanced persistent threats (APTs). 


Whether you are a federal agency or a private organization, NIST 800-53 controls families play a critical role in fortifying your cybersecurity defenses and safeguarding your sensitive assets.  These controls establish a comprehensive security framework, ranging from access control to incident response. 

With over 1189 staggering individual controls, getting NIST compliant can prove to be a daunting task.

Enter Sprinto!

Sprinto leverages the power of compliance automation to create and implement security access controls– all in real-time, all from a single dashboard. navigate your way through NIST compliance with Sprinto and make your compliance journey smoother than ever!

Get in touch with us today!


What are the three 3 types of access control?

There are 3 types of Access Control:

  • Discretionary Access Control (DAC)
  • Attribute-Based Access Control (ABAC)
  • Role-Based Access Control (RBAC)

What is NIST and examples of controls?

NIST controls are often used to enhance an organization’s information security standards, cybersecurity framework, and risk posture. For instance, federal agencies are required to adhere to NIST 800-53. However, private organizations can improve their security posture by using the risk management framework in their security program.

How many NIST controls are there?

The NIST control families, aggregating to a staggering 1189 individual controls, are tailored to provide a granular approach to system security, ensuring companies can effectively assess as well as address their unique risks.

What are the 7 categories of access control?

The seven main categories of access control are directive, compensating, deterrent, corrective, detective, and recovery.

Ayush Saxena

Ayush Saxena

Ayush Saxena is a senior security and compliance writer. Ayush is fascinated by the world of hacking and cybersecurity. He specializes in curating the latest trends and emerging technologies in cybersecurity to provide relevant and actionable insights. You can find him hiking, travelling or listening to music in his free time.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.