Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ac-17 |
remote access |
|||
|
assessment objective: Determine if the organization: |
|||
ac-17(a) |
ac-17(a)[1] |
identifies the types of remote access allowed to the information system; |
||
ac-17(a)[2] |
establishes for each type of remote access allowed: |
|||
ac-17(a)[2][a] |
usage restrictions; |
|||
ac-17(a)[2][b] |
configuration/connection requirements; |
|||
ac-17(a)[2][c] |
implementation guidance; |
|||
ac-17(a)[3] |
documents for each type of remote access allowed: |
|||
ac-17(a)[3][a] |
usage restrictions; |
|||
ac-17(a)[3][b] |
configuration/connection requirements; |
|||
ac-17(a)[3][c] |
implementation guidance; and |
|||
ac-17(b) |
authorizes remote access to the information system prior to allowing such connections. |
|||
potential assessment methods and objects: Examine: [select from: Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; security plan; information system configuration settings and associated documentation; remote access authorizations; information system audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with responsibilities for managing remote access connections; system/network administrators; organizational personnel with information security responsibilities]. Test: [select from: Remote access management capability for the information system]. |
||||
