Course Content

Module 1: Intro

01:06
1.1 Introduction
00:50
1.2 Agenda
03:58
1.3 Introduction to Material

Module 2: The Requirements

04:23
2.1 Requirements

Module 3: Access Control

02:43
3.1 AC Basic Security Requirements
06:27
3.2 AC Derived Security Requirements
06:00
3.3 AC Derived Security Requirements

Module 4: Awareness & Training

04:22
4.1 Awareness Basic and Derived Requirements

Module 5: Audit & Accountability

01:45
5.1 A and A Basic Requirements
04:42
5.2 A and A Derived Requirements

Module 6: Configuration Management

05:08
6.1 CM Basic and Derived
02:14
6.2 Maintenance Basic
02:18
6.3 Maintenance Derived

Module 7: Identification & Authentication

02:09
7.1 I and A Basic Requirements

Module 8: Incident Response

03:01
8.1 IR Basic and Derived

Module 9: Maintenance

02:14
9.1 Maintenance Basic
02:18
9.2 Maintenance Derived

Module 10: Media Protection

05:00
10.1 Media Protection

Module 11: Personnel Protection

04:07
11.1 Personnel Basic and Derived

Module 12: Physical Protection

03:47
12.1 Physical Basic and Derived Phys

Module 13: Risk Assessment

04:30
13.1 Risk Basic and Derived

Module 14: Security Assessment

03:43
14.1 Security Assessment Basic and Derived

Module 15: Systems & Communications Protection

02:21
15.1 Systems and Communications - Basic

Module 16: Systems & Information Integrity

03:49
16.1 Integrity Basic and Derived

Module 17: Review & Conclusion

04:32
17.1 Summary and Review

Course Description

In this course, Cybrary's Kelly Handerhan takes us through the fourteen families of classifications for controlled, unclassified information as defined in the NIST 800-171 standard. This standard, issued by the National Institute of Standards and Technology (NIST), governs the handling of unclassified yet sensitive information on systems in non-federal agencies. It is part of an initiative to reduce the number of unclassified information categories such as "For Official Use Only" (FOUO) and "Sensitive But Unclassified" (SBU). It's important to keep in mind that just because certain information is unclassified doesn't mean that it should be freely available to anyone wishing access. It's still vital that security controls are in place to safeguard such information when it is outside federal infrastructure. The audience for standard NIST 800-171 is developers involved in the Software Development Life Cycle (SDLC), project managers, those that procure and outsource equipment and services, risk management personnel, and anyone else in an organization that handles controlled, unclassified information (CUI). The fourteen families of classification, also known as "domains" cover the essential security controls governing the safeguarding of CUI. These controls are the very same ones that you'd encounter in other security-focused certification courses such as Security+. Each domain has a set of requirements known as the "Basic" set. This basic set defines the ultimate goals of the domain. The other set of requirements is known as the "Derived" set and consists of the means to implement the goals set forth in the basic set. As an example, the basic set of requirements for the "Awareness and Training" domain specifies that all users of CUI systems are made aware of the risks and policies regarding the protection of CUI. The implementation of the goals set forth in the basic requirements is specified in the derived requirements. In the case of "Awareness and Training" the derived requirements specify the need for security awareness training for users along with surveillance to monitor any security breaches directed against CUI. Kelly points out that though all domains have a basic set of requirements, two of them don't have a corresponding set of derived requirements. Each module in this course discusses a specific domain and its corresponding requirements, both basic and derived, as set forth in the NIST 800-171 publication.