NIST SP 800-171 Revision 2 in Security Hub
NIST Special Publication 800-171 Revision 2 (NIST SP 800-171 Rev. 2) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information in systems and organizations that aren't part of the U.S. federal government. Controlled Unclassified Information, also referred to as CUI, is sensitive information that doesn't meet government criteria for classification but must be protected. It's information that is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government.
NIST SP 800-171 Rev. 2 provides recommended security requirements for protecting the confidentiality of CUI when:
-
The information resides in non-federal systems and organizations,
-
The non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and
-
There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.
The requirements apply to all components of non-federal systems and organizations that
process, store, or transmit CUI, or provide security protection for the components. For more
information, see NIST SP 800-171 Rev. 2
Amazon Security Hub provides security controls that support a subset of NIST SP 800-171 Revision 2 requirements. The controls perform automated security checks for certain Amazon Web Services services and resources. To enable and manage these controls, you can enable the NIST SP 800-171 Revision 2 framework as a standard in Security Hub. Note that the controls don't support NIST SP 800-171 Revision 2 requirements that require manual checks.
Topics
Configuring resource recording for controls that apply to the standard
To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in Amazon Config before you enable the NIST SP 800-171 Revision 2 standard in Amazon Security Hub. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. Otherwise, Security Hub might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard.
For information about how Security Hub uses resource recording in Amazon Config, see Enabling and configuring Amazon Config for Security Hub. For information about configuring resource recording in Amazon Config, see Working with the configuration recorder in the Amazon Config Developer Guide.
The following table specifies the types of resources to record for controls that apply to the NIST SP 800-171 Revision 2 standard in Security Hub.
| Amazon Web Services service | Resource types |
|---|---|
| Amazon Certificate Manager (ACM) |
|
| Amazon API Gateway |
|
| Amazon CloudFront |
|
| Amazon CloudWatch |
|
| Amazon Elastic Compute Cloud (Amazon EC2) |
|
| Elastic Load Balancing |
|
| Amazon Identity and Access Management (IAM) |
|
| Amazon Key Management Service (Amazon KMS) |
|
| Amazon Network Firewall |
|
| Amazon Simple Storage Service (Amazon S3) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Systems Manager (SSM) |
|
| Amazon WAF |
|
Determining which controls apply to the standard
The following list specifies the controls that support NIST SP 800-171 Revision 2 requirements and apply to the NIST SP 800-171 Revision 2 standard in Amazon Security Hub. For details about specific requirements that a control supports, choose the control. Then refer to the Related requirements field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement.
-
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
-
[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
-
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
-
[CloudTrail.3] At least one CloudTrail trail should be enabled
-
[CloudTrail.4] CloudTrail log file validation should be enabled
-
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user
-
[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls
-
[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes
-
[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes
-
[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes
-
[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes
-
[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes
-
[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways
-
[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes
-
[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes
-
[CloudWatch.15] CloudWatch alarms should have specified actions configured
-
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
-
[EC2.16] Unused Network Access Control Lists should be removed
-
[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
[EC2.19] Security groups should not allow unrestricted access to ports with high risk
-
[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up
-
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
-
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
-
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
-
[IAM.1] IAM policies should not allow full "*" administrative privileges
-
[IAM.7] Password policies for IAM users should have strong configurations
-
[IAM.10] Password policies for IAM users should have strong configurations
-
[IAM.11] Ensure IAM password policy requires at least one uppercase letter
-
[IAM.12] Ensure IAM password policy requires at least one lowercase letter
-
[IAM.13] Ensure IAM password policy requires at least one symbol
-
[IAM.14] Ensure IAM password policy requires at least one number
-
[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater
-
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less
-
[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support
-
[IAM.22] IAM user credentials unused for 45 days should be removed
-
[NetworkFirewall.2] Network Firewall logging should be enabled
-
[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
-
[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty
-
[S3.5] S3 general purpose buckets should require requests to use SSL
-
[S3.9] S3 general purpose buckets should have server access logging enabled
-
[S3.11] S3 general purpose buckets should have event notifications enabled
-
[S3.14] S3 general purpose buckets should have versioning enabled
-
[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys
-
[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS
-
[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled