NIST SP 800-171 Family: Access Control

Don’t gamble with your business’s security by waiting for a cyberattack to strike. Take proactive steps now! Access our invaluable checklist, packed with essential insights and actionable steps to fortify your business system against external threats.

Downloadable Checklist Here

Introduction to Access Control

Access Control (AC), a family of controls in the NIST SP 800-171 program, consists of multiple ways to secure controlled unclassified information (CUI) in a business system by way of controlling access to business assets physically and virtually according to the business model. 

Below is a list of AC controls which represent a focus on safeguarding federal contract information (FCI) and securing CUI. Although the AC controls were originally conceived to accomplish proper security of FCI and CUI, any kind of assets or data can be effectively secured by these controls.

  • 3.1.1 Authorized Access Control 
  • 3.1.10 Session Lock 
  • 3.1.11 Session Termination 
  • 3.1.2 Transaction and Function Control
  • 3.1.20 External Connections 
  • 3.1.22 Control Public Information 
  • 3.1.3 Control CUI Flow
  • 3.1.4 Separation of Duties 
  • 3.1.5 Least Privilege 
  • 3.1.6 Non-Privileged Account Use
  • 3.1.7 Privileged Functions
  • 3.1.8 Unsuccessful Logon Attempts
  • 3.1.9 Privacy and Security Notices

 Failing to implement crucial access control measures can have severe consequences, as evidenced by recent security breaches at Caesars Entertainment and Forever 21. controls such as Authorized Access Control (3.1.1), External Connections (3.1.20), and Session Termination (3.1.11) are essential in securing business systems that rely on external connections.

Caesars Entertainment experienced a preventable incident where phishing scams granted attackers authentication credentials to access the customer loyalty database (1), This incident highlighted a failure to properly implement the External Connections (3.1.20) requirement, resulting in a significant loss of $15 MM (2).

Forever 21 faced repeated unauthorized access from an external system over several months, leading to the exposure of sensitive personal information belonging to over half a million employees (3). Proper implementation of the Authorized Access Control (3.1.1) and Session Termination (3.1.11) controls could have prevented or mitigated this breach by enforcing access control policies and restricting suspicious external connections.

Do not wait for a cyberattack to begin building your defenses. Below is a checklist providing helpful information that can be followed to help better protect a business system from threats when dealing with external systems.

All About the Data Compliance Solutions offers a comprehensive, accurate, and user-friendly digital security platform that provides Governance as a Service (GaaS) to guide companies and contractors in their compliance journey. The platform is designed to streamline cybersecurity efforts, making the process easier and achievable.


  2. Caesars paid millions in ransom to cybercrime group prior to MGM hack (
  3. Forever 21 data breach: hackers accessed info of 500,000 (

*If you don’t receive your checklist shortly, check your spam folder*