Written by Katherine Bennett

The first of the fourteen families within the NIST 800-171 standard is Access Control. This family is all about who you authorize to view or access your assets and controlling how they are allowed to access your system.

Why is Access Control important?

All of us have assets that, if compromised, would result in a loss to our businesses. We also have information that we share publicly and freely. On websites and social media we share information about our mission, our staff, our products or services, and even some of our clients. But, we would never share our staff members’ social security numbers, our intellectual property, our detailed operating procedures, or our schematics in a public area where anyone and everyone can access it. Instead, we control who within our organization is authorized to view such information.

What is Access Control about in NIST 800-171?

There are 22 requirements within Access Control family, making it the densest family within the standard. The main focus of this family is to limit system access to only trusted users and devices. Some key points addressed within this family are:

Limit access to systems to authorized users–authorized users (employees, contractors, etc.) are assigned system accounts and system role. No users without assigned account login credentials are allowed to access the system.

Tailor access to job role and duties–assigned system roles or permissions should mirror the job requirements for the individual. For example, perhaps only financial personnel should be able to access budget workbooks and therefore access to these files would be denied for other job roles.

Restrict access to admin functions–assign edit or modify permissions only to those authorized users who actually make the changes. View permission can be shared with others as needed.

Control remote access to your systems–establish requirements and restrictions for remote access including the levels of access that are permitted to authorized users while they are using remote access.

Control wireless and mobile device access to your systems–establish wireless and mobile device guidelines and restrictions. Verify and permit only trusted devices operated by authorized users.