Long Arrow Right External Link angle-right Search Times Spinner angle-left

ThreatLocker & NIST 800-171 Rev. 2

NIST 800-171 Rev. 2 addresses the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. ThreatLocker can assist your organization when you are working towards becoming NIST 800-171 Rev. 2 compliant. ThreatLocker can be used to meet certain security requirements and can assist in meeting other requirements.

3.1 Access Control

Basic Security Requirements

  • 3.1.1 - "Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems)."
    • ThreatLocker can help enforce mechanisms at the application and service level to provide increased information security.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.1.2 - "Limit system access to the types of transactions and functions that authorized users are permitted to execute."
    • ThreatLocker can help define access privileges by account and/or type of account and restrict other attributes required for authorizing access, such as time-of-day and/or point-of-origin.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.

Derived Security Requirements

  • 3.1.3 - "Control the flow of CUI in accordance with approved authorizations." 
    • ThreatLocker can be an enforcement mechanism to control the flow of information.
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.1.4 - "Separate the duties of individuals to reduce the risk of malevolent activity without collusion."
    • ThreatLocker can prevent the risk of malevolent activity among different individuals or roles.  
    • Application Control can limit the use of applications by users to allow the use of only what is needed for their role.
    • Storage Control can limit the ability of each user’s access different types of storage only to what is strictly required for the user's role.    
  • 3.1.5 - "Employ the principle of least privilege, including for specific security functions and privileged accounts."  
    • ThreatLocker can help create the least privileged environment.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.
  • 3.1.6 - "Use non-privileged accounts or roles when accessing nonsecurity functions."
    • ThreatLocker can help implement access control policies and manage access authorizations for users.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe.
  • 3.1.7 - "Prevent non-privileged users from executing privileged functions and audit the execution of such functions."
    • ThreatLocker can help protect privileged functions from non-privileged users.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
  • 3.1.11 - "Terminate (automatically) a user session after a defined condition."
    • ThreatLocker helps achieve this requirement by requiring users to set a time limit in which after a period of inactivity in the ThreatLocker Portal the session is terminated. 
  • 3.1.12 - "Monitor and control remote access sessions."
    • ThreatLocker can help monitor and control remote access sessions.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters.
  • 3.1.14 “Route remote access through managed access control points.”
    • ThreatLocker can help route remote access.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.1.15 “Authorize remote execution of privileged commands and remote access to security-relevant information.”
    • ThreatLocker can help control access and privileges.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.1.16 “Authorize wireless access prior to allowing such connections.”
    • ThreatLocker can help establish usage restrictions and connection requirements for wireless access.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.1.17 “Protect wireless access using authentication and encryption.”
    • ThreatLocker can help authenticate users and devices to protect wireless access to organizational systems.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Elevation Control can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications within a designated timeframe.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.1.18 - "Control connection of mobile devices."
    • ThreatLocker can help set controls for mobile device restrictions.
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.1.20 - "Verify and control/limit connections to and use of external systems."
    • ThreatLocker can help control the use of external systems.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will block any remote access tools/applications that are not explicitly approved.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.
  • 3.1.21 - "Limit use of portable storage devices on external systems."
    • ThreatLocker can help control the use of portable storage devices.
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 

3.3 Audit and Accountability

Basic Security Requirements

  • 3.3.1 - "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity."
    • ThreatLocker can help providing an audit log of events.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs.
  • 3.3.2 - "Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions."
    • ThreatLocker can help by linking audit events to individual users.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. It will ensure that the actions of all individual users can be traced to those users for accountability.  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. It will ensure file access of specified storage will be displayed in the Unified Audit.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It will ensure the auditing of application usage.

Derived Security Requirements

  • 3.3.3 - "Review and update audited events."
    • ThreatLocker can assist by providing a list of logged events for the organization to examine for re-evaluation. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs.
  • 3.3.5 - "Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity."
    • ThreatLocker can assist by provided a list of logged events. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. These logs are retained for 30 days by default, but organizations can extend the retention period according to compliance needs.
  • 3.3.6 - "Provide audit record reduction and report generation to support on-demand analysis and reporting."
    • ThreatLocker can support audit log analysis.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Using ThreatLocker's various filtering options in the Unified Audit, you can search for specific information. ThreatLocker also provides the ability to generate various reports. 
  • 3.3.7 - " Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records."
    • ThreatLocker can assist by providing time stamps for audit records.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. All audit logs will include a date/time stamp down to the second and will be set to the time zone of the organization. 
  • 3.3.8 - "Protect audit information and audit tools from unauthorized access, modification, and deletion."
    • ThreatLocker can help by restricting user access.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit cannot be deleted by anyone unless those logs go past the specified retention time period. 
  • 3.3.9 - "Limit management of audit logging functionality to a subset of privileged users."
    • ThreatLocker can help by inhibiting the ability to modify logged events within a specified period.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Only administrators on your ThreatLocker account can view any of the audit logs in ThreatLocker. You can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit if desired. You can lock ThreatLocker staff out of your account as well. Anything logged in the audit cannot be deleted by anyone unless those logs go past the specified retention time period. 

3.4 Configuration Management

Basic Security Requirements

  • 3.4.1 - "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles."
    • ThreatLocker can assist by taking inventory of and baselining organizational systems.
    • Every machine running ThreatLocker will be baselined. During the baselining process, ThreatLocker will catalog each application found on the machine(s), including the OS version and build. 
    • Utilizing the Application Control policy and application lists, you can view all software installed and control what can run in your environment.  
  • 3.4.2 - "Establish and enforce security configuration settings for information technology products employed in organizational systems."
    • ThreatLocker can help create and execute security configuration settings.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.

Derived Security Requirements

  • 3.4.5 - "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems."
    • ThreatLocker can help manage priviledged access rights.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
  • 3.4.6 - "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
    • ThreatLocker can help limit component functionality.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.4.7 - "Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services."
    • ThreatLocker can assist restict the use of nonessential software.  
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.4.8 - "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software."
    • ThreatLocker can assist with Application Allowlisting. 
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It gives you the ability to deny all and permit by exception, creating a true whitelist.   
  • 3.4.9 - "Control and monitor user-installed software."
    • ThreatLocker can help contol user-installed software.  
    • Application Control can restrict what applications can run in your environment, who can use them, and when. It provides the ability to control and monitor all software installed in your environment. No user can install software unless you have permitted it. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. It will provide a log of all software that is installed or attempted to be installed.

3.5 Identification and Authentication

Basic Security Requirements

  • 3.5.1 - "Identify system users, processes acting on behalf of users, and devices."
    • ThreatLocker can assist identifing which user/device processed an action.  
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. Through the Unified Audit, you can track what actions are run, by which user or system account, and provide visibility of what processes are run and on which device they occurred. 

3.7 Maintenance

Basic Security Requirements

  • 3.7.2 - "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance."
    • ThreatLocker can assist in meeting the control for this practice.  
    • Application Control can restrict what applications can run in your environment, who can use them, and when.
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc). 
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 

Derived Security Requirements

  • 3.7.6 - "Supervise the maintenance activities of personnel without required access authorization."
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. This way, administrators can offer restricicted elevated permissions on a case by case basis.

3.8 Media Protection

  • 3.8.7 - "Control the use of removable media on system components." 
    • ThreatLocker can help employ technical controls to limit the use of portable storage devices.  
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
  • 3.8.8 - "Prohibit the use of portable storage devices when such devices have no identifiable owner."
    • ThreatLocker can help restrict the use of portable storage devices.  
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths.

3.11 Risk Assessment

Derived Security Requirements

  • 3.11.3 - "Remediate vulnerabilities in accordance with risk assessments."
    • ThreatLocker can be assist with remediating identified vulnerabilities.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.

3.13 System and Communications Protection

Derived Security Requirements

  • 3.13.4 - "Prevent unauthorized and unintended information transfer via shared system resources."
    • ThreatLocker can help control access to information in shared system resources.
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. Using Storage Control, you can prevent unauthorized information transfer via shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types.  
  • 3.13.6 - "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)."
    • ThreatLocker can assist by controling inbound network traffic. 
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.
  • 3.13.9 - "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity."
    • ThreatLocker can help control of inbound traffic and terminate inactive network connections.
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection. Once a connection is authenticated, the connection will remain open for 5 minutes. Every minute, the authentication is checked again, and once it can no longer be authenticated, the connection closes in 5 minutes. 
  • 3.13.16 - "Protect the confidentiality of CUI at rest."
    • ThreatLocker can assist restrict access to information.
    • Storage Control allows you to customize whether a user or device can access different types of storage such as USB drives, network shares, and local folders. 
    • The Unified Audit will log only the file names and directory where they are located; there is no visibility of the file contents, protecting the confidentiality of the data within the ThreatLocker Portal

3.14 System and Information Integrity

Basic Security Requirements

  • 3.14.1 - "Identify, report, and correct system flaws in a timely manner."
    • ThreatLocker can help identify and log vulnerabilities. Additionally, ThreatLocker can be configured to correct identified vulnerablilities.
    • ThreatLocker Ops is a comprehensive threat detection and behavior monitoring tool which can be used to set intrusion detection parameters. Once parameters are set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.
  • 3.14.2 - "Provide protection from malicious code at designated locations within organizational systems." 
    • ThreatLocker can help ensure that software does not perform functions other than intended.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • Network Access Controls allows total control of inbound traffic based on IP addresses, specific key words, and/or objects to your protected devices between a server and client connection.

Derived Security Requirements

  • 3.14.6 - "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks."
    • ThreatLocker can help provide audit records to use while monitoring.
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. 
  • 3.14.7 - "Identify unauthorized use of organizational systems."
    • ThreatLocker can help prevent unauthorized use of organizational systems and provide a log of access or attempted access to files and systems secured by ThreatLocker.
    • Application Control can restrict what applications can run in your environment, who can use them, and when. 
    • Ringfencing allows you the ability to specify what an application can interact with (i.e., other applications, your files, the internet, the registry, etc).  
    • Storage Control allows you to customize whether a user can access different types of storage such as USB drives, network shares, and local folders. Additionally, you can configure Storage Control to only allow specific interfaces to access particular file paths. 
    • The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured.