Draft NIST 800-171 baseline for RHEL7

Initial guidance on configuring RHEL7 against NIST 800-171/CUI has been developed. Below is a short(ish) background on NIST 800-171/Controlled Unclassified Information, sample security compliance guides and reports, and how you can give feedback (or participate!) on this work.


In 2010 President Obama signed Executive Order 13556 “Controlled Unclassified Information.” The order established “a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.”

The intent was noble: protect non-classified but sensitive data. A “CUI Registry” of categories and subcategories of CUI systems can be found at the National Archives. A surprising amount of industries and data types are effected. The formal definition of CUI systems has been provided by NIST:

Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.

These range from the expected areas, such as personally identifiable information (PII), transportation data (e.g. airlines),  and legal data (e.g. court records), to lesser expected areas like bank records and sales data of ammonium nitrate. To make a very broad (mostly accurate) statement: any kind of data that has anything to do with government is covered.

The 2010 executive order was well intentioned, however telling everyone to “protect their data” without giving specifics is of limited utility. Executive Order 13556 was left largely ignored — CIOs, CTOs, and CISOs had bigger problems. The churn of FISMA compliance is a good example.

Fast forward to June 2015 and NIST provides clarity on processes and relevant security controls for CUI. They release “NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” For government and defense contractors NIST 800-171 maps security controls back to NIST 800-83. For commercial/industry systems mappings back to ISO/IEC 27001 are provided. For example:

This mapping is extremely useful. Government industries are familiar with NIST 800-53; it’s the foundation for FISMA and vertical specific baselines such as the DoD STIG. System owners can take known baselines, such as DoD STIG, and compare with the technical control set provided in NIST 800-171. Implement the differences (if any), and we’re in compliance!


Given the broad government and commercial applicability of NIST 800-171/CUI, we want to ensure RHEL has the ability to be configured in compliance with the requirements. By developing a profile in OpenSCAP/SCAP Security Guide we can provide automation content that:

  • Translates high-level controls, e.g. “must have secure passwords,” into specific and actionable RHEL7 configuration steps;
  • Provides authoritative pass/fail automation content to generate compliance reports;
  • Integrates into the RHEL7 installer to provide ‘easy button’ installations against CUI controls;
  • Starts a community to further develop and mature the RHEL7 baseline for CUI.

Earlier this week initial content was merged into the upstream SCAP Security Guide project. The initial patch kicks things off by mapping specific configuration actions to NIST 800-171, groups the actions into a logical profile, and provides security automation content to generate pass/fail reports.

With this patch set we were able to generate the following:

  1. Sample compliance report.Note: when reviewing the report, under the “Rule Overview” section, you will see a “Group rules by” drop-down menu. Select the URL that ends in “….NIST.SP.800-171.pdf” as shown below:
    Once selected, the compliance report will reorganize itself and list results by specific NIST 800-171 controls. It’s expected this will be particularly useful to demonstrate compliance against the controls. For example:
  2. Initial NIST 800-171/CUI Configuration Guide. This guide documents relevant configuration settings, and where possible, includes information about the control, rationale on applicability, and a remediation script. For example:
  3. Table that maps NIST 800-171 requirements to specific configuration actions. In the government space, this can be used as a “Requirements Traceability Matrix” for NIST 800-171. For example:Note that two configuration rules map to “NIST 800-171 Section 3.13.11.” In many cases multiple configuration steps are needed to satisfy a single control.

Development work for the RHEL7 NIST 800-171 profile is occurring in the SCAP Security Guide project (https://github.com/OpenSCAP/scap-security-guide). Take a look at the sample reports, guides, and policy mapping tables. Give feedback by opening a ticket or collaborating with us on the SCAP Security Guide mailing list. Developers and users also hangout on #openscap on IRC (freenode).

If you’re interested in compiling the latest code, refer to the Building From Source guide.

Moving forward, once the configuration baseline has matured, the upstream work will be packaged in RHEL for world-wide usage!

Leave a Reply

Your email address will not be published. Required fields are marked *