NIST SP 800-171 Rev. 3 — Control Crosswalk
Maps each NIST 800-171 R3 control to the Aulendur policy/standard/procedure that implements it. Updated as documents are authored.
Status values: Covered (Full) | Covered (Partial) | Not Yet Covered
03.01 — Access Control
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.01.01 |
Account Management |
AUL-POL-15, AUL-POL-16 |
Covered (Partial) |
| 03.01.02 |
Access Enforcement |
AUL-POL-15 |
Covered (Full) |
| 03.01.03 |
Information Flow Enforcement |
AUL-POL-29, AUL-POL-33 |
Not Yet Covered |
| 03.01.04 |
Separation of Duties |
AUL-POL-02, AUL-POL-15, AUL-POL-19 |
Covered (Full) |
| 03.01.05 |
Least Privilege |
AUL-POL-15, AUL-POL-19 |
Covered (Partial) |
| 03.01.06 |
Least Privilege — Privileged Accounts |
AUL-POL-19 |
Not Yet Covered |
| 03.01.07 |
Least Privilege — Privileged Functions |
AUL-POL-19 |
Not Yet Covered |
| 03.01.08 |
Unsuccessful Logon Attempts |
AUL-POL-16, AUL-STD-04 |
Not Yet Covered |
| 03.01.09 |
System Use Notification |
AUL-POL-05 |
Covered (Full) |
| 03.01.10 |
Device Lock |
AUL-POL-30 |
Not Yet Covered |
| 03.01.11 |
Session Termination |
AUL-POL-16 |
Not Yet Covered |
| 03.01.12 |
Remote Access |
AUL-POL-20 |
Not Yet Covered |
| 03.01.16 |
Wireless Access |
AUL-POL-35 |
Not Yet Covered |
| 03.01.18 |
Access Control for Mobile Devices |
AUL-POL-31 |
Not Yet Covered |
| 03.01.20 |
Use of External Systems |
AUL-POL-05, AUL-POL-33 |
Covered (Partial) |
| 03.01.22 |
Publicly Accessible Content |
AUL-POL-04, AUL-POL-72 |
Covered (Partial) |
03.02 — Awareness and Training
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.02.01 |
Literacy Training and Awareness |
AUL-POL-10 |
Covered (Full) |
| 03.02.02 |
Role-Based Training |
AUL-POL-10 |
Covered (Full) |
| 03.02.03 |
Insider Threat Awareness |
AUL-POL-10, AUL-POL-14 |
Covered (Full) |
03.03 — Audit and Accountability
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.03.01 |
Event Logging |
AUL-POL-40, AUL-STD-02 |
Not Yet Covered |
| 03.03.02 |
Audit Record Content |
AUL-POL-41, AUL-STD-02 |
Not Yet Covered |
| 03.03.03 |
Audit Record Generation |
AUL-POL-41 |
Not Yet Covered |
| 03.03.04 |
Response to Audit Logging Process Failures |
AUL-POL-40 |
Not Yet Covered |
| 03.03.05 |
Audit Record Review, Analysis, and Reporting |
AUL-POL-41 |
Not Yet Covered |
| 03.03.06 |
Audit Record Reduction and Report Generation |
AUL-POL-41 |
Not Yet Covered |
| 03.03.07 |
Time Stamps |
AUL-POL-40, AUL-STD-02 |
Not Yet Covered |
| 03.03.08 |
Protection of Audit Information |
AUL-POL-41 |
Not Yet Covered |
03.04 — Configuration Management
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.04.01 |
Baseline Configuration |
AUL-POL-36, AUL-PLN-08 |
Not Yet Covered |
| 03.04.02 |
Configuration Settings |
AUL-POL-32, AUL-STD-03 |
Not Yet Covered |
| 03.04.03 |
Configuration Change Control |
AUL-POL-37 |
Not Yet Covered |
| 03.04.04 |
Impact Analyses |
AUL-POL-37 |
Not Yet Covered |
| 03.04.05 |
Access Restrictions for Change |
AUL-POL-37, AUL-POL-19 |
Not Yet Covered |
| 03.04.06 |
Least Functionality |
AUL-POL-32 |
Not Yet Covered |
| 03.04.08 |
Authorized Software |
AUL-POL-39, AUL-POL-79 |
Not Yet Covered |
| 03.04.10 |
System Component Inventory |
AUL-POL-39 |
Not Yet Covered |
| 03.04.11 |
Information Location |
AUL-POL-04 |
Covered (Full) |
| 03.04.12 |
System and Component Configuration for High-Risk Areas |
AUL-POL-13 |
Covered (Full) |
03.05 — Identification and Authentication
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.05.01 |
User Identification and Authentication |
AUL-POL-16 |
Not Yet Covered |
| 03.05.02 |
Device Identification and Authentication |
AUL-POL-16, AUL-POL-30 |
Not Yet Covered |
| 03.05.03 |
Multi-Factor Authentication |
AUL-POL-18, AUL-STD-05 |
Not Yet Covered |
| 03.05.04 |
Replay-Resistant Authentication |
AUL-POL-18 |
Not Yet Covered |
| 03.05.05 |
Identifier Management |
AUL-POL-16 |
Not Yet Covered |
| 03.05.07 |
Password Management |
AUL-POL-17, AUL-STD-04 |
Not Yet Covered |
| 03.05.11 |
Authentication Feedback |
AUL-POL-16 |
Not Yet Covered |
| 03.05.12 |
Authenticator Management |
AUL-POL-17 |
Not Yet Covered |
03.06 — Incident Response
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.06.01 |
Incident Handling |
AUL-POL-59, AUL-PLN-02 |
Not Yet Covered |
| 03.06.02 |
Incident Monitoring |
AUL-POL-59, AUL-POL-40 |
Not Yet Covered |
| 03.06.03 |
Incident Reporting |
AUL-POL-60, AUL-SOP-05 |
Not Yet Covered |
| 03.06.04 |
Incident Response Testing |
AUL-PLN-02 |
Not Yet Covered |
| 03.06.05 |
Incident Response Training |
AUL-POL-10, AUL-POL-59 |
Covered (Partial) |
03.07 — Maintenance
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.07.04 |
Nonlocal Maintenance |
AUL-POL-20, AUL-POL-32 |
Not Yet Covered |
| 03.07.05 |
Maintenance Personnel |
AUL-POL-08, AUL-POL-32 |
Covered (Partial) |
| 03.07.06 |
Timely Maintenance |
AUL-POL-38 |
Not Yet Covered |
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.08.01 |
Media Storage |
AUL-POL-04, AUL-POL-11 |
Covered (Full) |
| 03.08.02 |
Media Access |
AUL-POL-04, AUL-POL-11 |
Covered (Full) |
| 03.08.03 |
Media Sanitization |
AUL-POL-25 |
Not Yet Covered |
| 03.08.04 |
Media Marking |
AUL-POL-04, AUL-POL-23, AUL-STD-07 |
Covered (Partial) |
| 03.08.05 |
Media Transport |
AUL-POL-23 |
Not Yet Covered |
| 03.08.07 |
Media Use |
AUL-POL-30 |
Not Yet Covered |
| 03.08.09 |
System Backup — Cryptographic Protection |
AUL-POL-28, AUL-POL-21 |
Not Yet Covered |
03.09 — Personnel Security
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.09.01 |
Personnel Screening |
AUL-POL-08 |
Covered (Full) |
| 03.09.02 |
Personnel Termination and Transfer |
AUL-POL-09, AUL-SOP-02 |
Covered (Partial) |
03.10 — Physical Protection
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.10.01 |
Physical Access Authorizations |
AUL-POL-11 |
Covered (Full) |
| 03.10.02 |
Monitoring Physical Access |
AUL-POL-11 |
Covered (Full) |
| 03.10.06 |
Alternate Work Site |
AUL-POL-12 |
Covered (Full) |
| 03.10.07 |
Physical Access Control |
AUL-POL-11 |
Covered (Full) |
| 03.10.08 |
Access Control for Transmission and Output Devices |
AUL-POL-11 |
Covered (Full) |
03.11 — Risk Assessment
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.11.01 |
Risk Assessment |
AUL-POL-03 |
Covered (Full) |
| 03.11.02 |
Vulnerability Monitoring and Scanning |
AUL-POL-03, AUL-POL-38, AUL-STD-10 |
Covered (Partial) |
| 03.11.04 |
Risk Response |
AUL-POL-03 |
Covered (Full) |
03.12 — Security Assessment and Monitoring
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.12.01 |
Security Assessment |
AUL-POL-66, AUL-POL-70 |
Not Yet Covered |
| 03.12.02 |
Plan of Action and Milestones |
AUL-POL-68 |
Not Yet Covered |
| 03.12.03 |
Continuous Monitoring |
AUL-POL-69, AUL-PLN-07 |
Not Yet Covered |
| 03.12.05 |
Information Exchange |
AUL-POL-77 |
Not Yet Covered |
03.13 — System and Communications Protection
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.13.01 |
Boundary Protection |
AUL-POL-29, AUL-STD-06 |
Not Yet Covered |
| 03.13.04 |
Information in Shared System Resources |
AUL-POL-33 |
Not Yet Covered |
| 03.13.06 |
Network Communications — Deny by Default |
AUL-POL-29 |
Not Yet Covered |
| 03.13.08 |
Transmission and Storage Confidentiality |
AUL-POL-21, AUL-STD-01 |
Not Yet Covered |
| 03.13.09 |
Network Disconnect |
AUL-POL-29 |
Not Yet Covered |
| 03.13.10 |
Cryptographic Key Establishment and Management |
AUL-POL-22 |
Not Yet Covered |
| 03.13.11 |
Cryptographic Protection |
AUL-POL-21, AUL-STD-01 |
Not Yet Covered |
| 03.13.12 |
Collaborative Computing Devices and Applications |
AUL-POL-34 |
Not Yet Covered |
| 03.13.13 |
Mobile Code |
AUL-POL-30 |
Not Yet Covered |
| 03.13.15 |
Session Authenticity |
AUL-POL-21 |
Not Yet Covered |
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.14.01 |
Flaw Remediation |
AUL-POL-38 |
Not Yet Covered |
| 03.14.02 |
Malicious Code Protection |
AUL-POL-30 |
Not Yet Covered |
| 03.14.03 |
Security Alerts, Advisories, and Directives |
AUL-POL-38 |
Not Yet Covered |
| 03.14.06 |
System Monitoring |
AUL-POL-40 |
Not Yet Covered |
| 03.14.08 |
Information Management and Retention |
AUL-POL-25 |
Not Yet Covered |
03.15 — Planning
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.15.01 |
Policy and Procedures |
AUL-POL-01 |
Covered (Full) |
| 03.15.02 |
System Security Plan |
AUL-PLN-01 |
Not Yet Covered |
| 03.15.03 |
Rules of Behavior |
AUL-POL-01, AUL-POL-05 |
Covered (Full) |
03.16 — System and Services Acquisition
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.16.01 |
Security and Privacy Engineering Principles |
AUL-POL-43 |
Not Yet Covered |
| 03.16.02 |
Unsupported System Components |
AUL-POL-39 |
Not Yet Covered |
| 03.16.03 |
External System Services |
AUL-POL-55 |
Not Yet Covered |
03.17 — Supply Chain Risk Management
| Control |
Title |
Implementing Doc(s) |
Status |
| 03.17.01 |
Supply Chain Risk Management Plan |
AUL-POL-56, AUL-PLN-06 |
Not Yet Covered |
| 03.17.02 |
Acquisition Strategies, Tools, and Methods |
AUL-POL-56, AUL-POL-78 |
Not Yet Covered |
| 03.17.03 |
Supply Chain Requirements and Processes |
AUL-POL-57 |
Not Yet Covered |
Update Procedure (for Claude Code)
When you author a policy that implements a 800-171 control:
- Find the control row above.
- Confirm the Implementing Doc(s) column references your document. If not, add it.
- Update the Status column to
Covered (Full) or Covered (Partial).
- If
Partial, the policy itself must say what is not covered and where the rest comes from.
- Commit the mapping update with the policy in the same commit.