NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations¶
Important
A software product -- such as Compliant Kubernetes -- cannot by itself be NIST SP 800-171 conform or certified. Instead, NIST SP 800-171 sets requirements on the organization and how it works with the software. Compliant Kubernetes can support fulfilling all NIST SP 800-171 requirements, provided that the organization has suitable policies and processes in place. For example, a tight integration needs to exist between onboard and offboarding personnel in HR and the Identity Provider which integrates with Compliant Kubernetes. Below we map NIST SP 800-171 requirements to Compliant Kubernetes features.
Important
This document was written based on NIST SP 800-171 Rev. 2. As of Jan 2024, Rev. 3 was in final public draft stage. Update: Rev. 3 is now available and we have created an issue to update this section accordingly when time permits.
Overview¶
Status | Number of requirements | % of all requirements |
---|---|---|
Fully supported | 54 | 49% |
Org-related | 50 | 45% |
Application-related | 5 | 5% |
Infra-related | 1 | 1% |
Total | 110 | 100% |
Requirements¶
Click on the links below to navigate the documentation by control.
NIST SP 800-171 3.1.1¶
NIST SP 800-171 3.1.2¶
NIST SP 800-171 3.1.4¶
NIST SP 800-171 3.1.5¶
NIST SP 800-171 3.1.6¶
NIST SP 800-171 3.1.7¶
NIST SP 800-171 3.1.11¶
NIST SP 800-171 3.1.13¶
NIST SP 800-171 3.1.15¶
NIST SP 800-171 3.1.20¶
NIST SP 800-171 3.3.1¶
NIST SP 800-171 3.3.2¶
NIST SP 800-171 3.3.3¶
NIST SP 800-171 3.3.5¶
NIST SP 800-171 3.3.6¶
NIST SP 800-171 3.3.7¶
NIST SP 800-171 3.4.4¶
NIST SP 800-171 3.4.5¶
NIST SP 800-171 3.4.7¶
NIST SP 800-171 3.4.8¶
NIST SP 800-171 3.4.9¶
NIST SP 800-171 3.5.1¶
NIST SP 800-171 3.5.2¶
NIST SP 800-171 3.5.4¶
NIST SP 800-171 3.5.5¶
NIST SP 800-171 3.5.6¶
NIST SP 800-171 3.6.3¶
NIST SP 800-171 3.7.1¶
NIST SP 800-171 3.7.4¶
NIST SP 800-171 3.7.5¶
NIST SP 800-171 3.11.2¶
NIST SP 800-171 3.12.3¶
NIST SP 800-171 3.12.4¶
NIST SP 800-171 3.13.1¶
NIST SP 800-171 3.13.2¶
NIST SP 800-171 3.13.3¶
NIST SP 800-171 3.13.6¶
NIST SP 800-171 3.13.10¶
NIST SP 800-171 3.13.11¶
NIST SP 800-171 3.13.16¶
NIST SP 800-171 3.14.4¶
NIST SP 800-171 3.14.5¶
NIST SP 800-171 3.14.6¶
NIST SP 800-171 3.14.7¶
Notes on Some Requirements¶
3.3.4¶
Compliant Kubernetes alerts, e.g., if Fluentd is unable to deliver audit logs to OpenSearch.
3.3.8 and 3.3.9¶
Audit logs are stored in OpenSearch and are write-only.
3.4.1, 3.4.2 and 3.4.3¶
Compliant Kubernetes configuration is fully stored in Git and can benefits from Git merge requests, reviews, etc.
3.13.5¶
All Compliant Kubernetes environments should run inside the organization's demilitarized zone (DMZ).
3.13.15¶
Compliant Kubernetes uses HTTPS for all its Service endpoints.
3.13.16¶
Compliant Kubernetes recommends full-disk encryption at the infrastructure level.
3.14.1¶
Please find relevant information in Elastisys ToS 3.6 Vulnerability Management.