NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations¶
Important
A software product -- such as Welkin -- cannot by itself be NIST SP 800-171 conform or certified. Instead, NIST SP 800-171 sets requirements on the organization and how it works with the software. Welkin can support fulfilling all NIST SP 800-171 requirements, provided that the organization has suitable policies and processes in place. For example, a tight integration needs to exist between onboard and offboarding personnel in HR and the Identity Provider which integrates with Welkin. Below we map NIST SP 800-171 requirements to Welkin features.
Important
This document was written based on NIST SP 800-171 Rev. 2. As of Jan 2024, Rev. 3 was in final public draft stage. Update: Rev. 3 is now available and we have created an issue to update this section accordingly when time permits.
Overview¶
| Status | Number of requirements | % of all requirements |
|---|---|---|
| Fully supported | 54 | 49% |
| Org-related | 50 | 45% |
| Application-related | 5 | 5% |
| Infra-related | 1 | 1% |
| Total | 110 | 100% |
Requirements¶
Click on the links below to navigate the documentation by control.
NIST SP 800-171 3.1.1¶
NIST SP 800-171 3.1.2¶
NIST SP 800-171 3.1.4¶
NIST SP 800-171 3.1.5¶
NIST SP 800-171 3.1.6¶
NIST SP 800-171 3.1.7¶
NIST SP 800-171 3.1.11¶
NIST SP 800-171 3.1.13¶
NIST SP 800-171 3.1.15¶
NIST SP 800-171 3.1.20¶
NIST SP 800-171 3.3.1¶
NIST SP 800-171 3.3.2¶
NIST SP 800-171 3.3.3¶
NIST SP 800-171 3.3.5¶
NIST SP 800-171 3.3.6¶
NIST SP 800-171 3.3.7¶
NIST SP 800-171 3.4.4¶
NIST SP 800-171 3.4.5¶
NIST SP 800-171 3.4.7¶
NIST SP 800-171 3.4.8¶
NIST SP 800-171 3.4.9¶
NIST SP 800-171 3.5.1¶
NIST SP 800-171 3.5.2¶
NIST SP 800-171 3.5.4¶
NIST SP 800-171 3.5.5¶
NIST SP 800-171 3.5.6¶
NIST SP 800-171 3.6.3¶
NIST SP 800-171 3.7.1¶
NIST SP 800-171 3.7.4¶
NIST SP 800-171 3.7.5¶
NIST SP 800-171 3.11.2¶
NIST SP 800-171 3.12.3¶
NIST SP 800-171 3.12.4¶
NIST SP 800-171 3.13.1¶
NIST SP 800-171 3.13.2¶
NIST SP 800-171 3.13.3¶
NIST SP 800-171 3.13.6¶
NIST SP 800-171 3.13.10¶
NIST SP 800-171 3.13.11¶
NIST SP 800-171 3.13.16¶
NIST SP 800-171 3.14.4¶
NIST SP 800-171 3.14.5¶
NIST SP 800-171 3.14.6¶
NIST SP 800-171 3.14.7¶
Notes on Some Requirements¶
3.3.4¶
Welkin alerts, e.g., if Fluentd is unable to deliver audit logs to OpenSearch.
3.3.8 and 3.3.9¶
Audit logs are stored in OpenSearch and are write-only.
3.4.1, 3.4.2 and 3.4.3¶
Welkin configuration is fully stored in Git and can benefits from Git merge requests, reviews, etc.
3.13.5¶
All Welkin environments should run inside the organization's demilitarized zone (DMZ).
3.13.15¶
Welkin uses HTTPS for all its Service endpoints.
3.13.16¶
Welkin recommends full-disk encryption at the infrastructure level.
3.14.1¶
Please find relevant information in Elastisys ToS 3.6 Vulnerability Management.