How to Use This Reference
This document maps each NIST 800-171 Rev 2 control to the specific cloud configuration requirements that satisfy it across AWS, Azure, and GCP. Use it to:
- Understand exactly what each control requires in your cloud environment
- Identify which cloud services and configurations are in scope for each control family
- Prepare for your CMMC Level 2 C3PAO assessment
- Configure automated monitoring rules for continuous compliance
Control families covered: AC, AT, AU, CM, IA, IR, MA, MP, PS, PE, RA, CA, SC, SI
Access Control (AC) — 22 Controls
AC.1.001 — Limit system access to authorized users
Requirement: Only authorized users, processes, and devices may access organizational systems.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM policies, SCPs, resource-based policies | IAM, Organizations |
| Azure | Azure AD RBAC, Conditional Access, PIM | Azure AD, Management Groups |
| GCP | IAM roles, Organization Policies, VPC Service Controls | Cloud IAM, Resource Manager |
Common findings: IAM users without role assignments, over-broad IAM policies, missing SCPs at account level
AC.1.002 — Limit system access to transactions and functions authorized users are permitted to execute
Requirement: Authorization for access is based on principle of least privilege.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Least-privilege IAM policies, permission boundaries, Access Analyzer | IAM, Access Analyzer |
| Azure | Custom RBAC roles, PIM just-in-time access | Azure AD, PIM |
| GCP | Predefined and custom IAM roles, conditions | Cloud IAM |
Common findings: AdministratorAccess attached to non-admin users, wildcard actions in IAM policies, unused privileged roles not revoked
AC.2.005 — Provide privacy and security notices consistent with CUI rules
Requirement: Privacy and security notices displayed on system banners at login.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Login banner configuration (console) | AWS Organizations console settings |
| Azure | Custom branding with login message | Azure AD custom branding |
| GCP | Login message configuration | Admin console |
AC.2.006 — Limit use of portable storage devices on external systems
Requirement: Controls on use of portable storage with organizational systems.
Primarily an endpoint control; cloud implementation focuses on S3/Blob/GCS transfer policies and data loss prevention rules.
AC.2.007 — Employ the principle of least privilege, including for specific security functions and privileged accounts
Requirement: Privileged access is limited to only required permissions.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Permission boundaries, IAM Access Analyzer, privilege monitoring | IAM, Security Hub |
| Azure | PIM for privileged roles, Privileged Identity Management | Azure AD PIM |
| GCP | Organization Policy constraints, IAM Recommender | Cloud IAM, Policy Intelligence |
Common findings: Overly permissive IAM roles, persistent privileged access (should be just-in-time), service accounts with owner-level access
AC.2.008 — Use non-privileged accounts or roles when accessing non-security functions
Requirement: Privileged users use non-privileged accounts for non-administrative functions.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Separate IAM users for admin vs. standard access, MFA on privileged accounts | IAM |
| Azure | Separate admin accounts, conditional access requiring MFA for admin roles | Azure AD |
| GCP | Separate service accounts, OS Login for privileged access | Cloud IAM, OS Login |
AC.2.009 — Limit unsuccessful logon attempts
Requirement: Limit consecutive failed authentication attempts.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Account lockout via AWS WAF (for web apps), Cognito (for application auth) | WAF, Cognito |
| Azure | Smart Lockout in Azure AD, Conditional Access sign-in risk policies | Azure AD |
| GCP | Login attempt limits via Identity Platform | Cloud Identity, Identity Platform |
AC.2.010 — Use session lock with pattern-hiding displays after period of inactivity
Requirement: Session lock after defined inactivity period.
Primarily enforced at the application and endpoint level. Cloud console sessions implement automatic timeout — AWS console: 1-hour inactivity timeout; Azure portal: configurable inactivity timeout.
AC.2.011 — Authorize wireless access prior to allowing such connections
Requirement: Wireless connections authorized before allowing network access.
Cloud implementation: wireless network security is not directly applicable to cloud environments. The corresponding cloud control is VPC/VNet access authorization and guest network isolation.
AC.2.012 — Control the flow of CUI in accordance with approved authorizations
Requirement: Information flow enforcement based on approved authorizations.
| Platform | Implementation | Services |
|---|---|---|
| AWS | VPC security groups, NACLs, VPC endpoints, PrivateLink, S3 bucket policies | VPC, S3, PrivateLink |
| Azure | NSGs, Private Endpoints, Service Endpoints, Azure Firewall | VNet, Private Link |
| GCP | VPC firewall rules, VPC Service Controls, Private Google Access | VPC, VPC Service Controls |
Common findings: Security groups with overly permissive inbound rules (0.0.0.0/0), S3 buckets without access restrictions, missing VPC endpoint policies
AC.2.013 — Monitor and control remote access sessions
Requirement: Remote access sessions are monitored and controlled.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail logging of API calls, VPN/Direct Connect monitoring, SSM Session Manager logging | CloudTrail, SSM, VPN |
| Azure | Azure Bastion with session recording, conditional access, sign-in logs | Azure Bastion, Azure AD |
| GCP | Cloud Audit Logs, IAP TCP tunneling with logging, BeyondCorp | Cloud Audit Logs, IAP |
AC.2.014 — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
Requirement: TLS/cryptographic protection for all remote access.
| Platform | Implementation | Services |
|---|---|---|
| AWS | TLS 1.2+ enforcement on load balancers, ACM certificates, API Gateway TLS policies | ALB, ACM, API Gateway |
| Azure | App Gateway TLS policy, minimum TLS version enforcement | App Service, App Gateway |
| GCP | HTTPS load balancer SSL policies, minimum TLS version enforcement | Cloud Load Balancing |
AC.2.015 — Route remote access via managed access control points
Requirement: Remote access flows through managed, controlled access points.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Direct Connect, Site-to-Site VPN, AWS SSO through centralized IdP | VPN, Direct Connect, SSO |
| Azure | Azure VPN Gateway, ExpressRoute, Azure AD Application Proxy | VPN Gateway, ExpressRoute |
| GCP | Cloud VPN, Cloud Interconnect, Identity-Aware Proxy | Cloud VPN, IAP |
AC.2.016 — Control the flow of CUI in accordance with approved authorizations
See AC.2.012 — data flow control. AC.2.016 specifically addresses CUI-tagged data flows.
AC.3.017 — Separate the duties of individuals to reduce the risk of malevolent activity
Requirement: Separation of duties controls prevent single individuals from having all permissions needed to execute unauthorized actions.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Separate IAM roles for different functions, multi-account organization structure, approval workflows | IAM, Organizations, CodePipeline |
| Azure | Azure AD role separation, Privileged Identity Management with approval workflows | Azure AD, PIM |
| GCP | Separate service accounts per function, Binary Authorization for deployment | Cloud IAM, Binary Authorization |
AC.3.018 — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
Requirement: Privilege escalation controlled and logged.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail logging of privileged actions, IAM policy restrictions on sts:AssumeRole | CloudTrail, IAM |
| Azure | Azure AD PIM activation logging, privileged role activation audit | Azure AD PIM |
| GCP | Admin Activity audit logs, privilege escalation logging | Cloud Audit Logs |
AC.3.019 — Terminate sessions after defined conditions
Requirement: Automatic session termination after conditions are met.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM policy with condition time limits, Cognito token expiration, Lambda session handling | IAM, Cognito |
| Azure | Conditional Access token lifetime policies, session lifetime controls | Azure AD Conditional Access |
| GCP | Identity Platform session timeout configuration | Cloud Identity Platform |
AC.3.020 — Control connection of mobile devices
Requirement: Mobile device connections to organizational systems are controlled.
Cloud implementation: MDM integration for cloud console access, Conditional Access requiring compliant device status for cloud management plane access.
AC.3.021 — Authorize remote execution of privileged commands via remote access only for documented operational needs
Requirement: Remote execution of privileged commands limited to operational needs.
| Platform | Implementation | Services |
|---|---|---|
| AWS | SSM Session Manager with session logging and role-based access, restricted IAM for remote execution | SSM, IAM |
| Azure | Azure Bastion for privileged remote access, just-in-time VM access | Azure Bastion, Defender for Cloud |
| GCP | OS Login with granular access, IAP TCP tunneling with logging | OS Login, IAP |
AC.3.022 — Use encryption to protect CUI during transmission unless protected by alternative physical safeguards
Requirement: All CUI transmitted over open networks is encrypted.
| Platform | Implementation | Services |
|---|---|---|
| AWS | TLS enforcement on all endpoints, S3 in-transit encryption enforcement via bucket policy | ACM, S3, ALB, CloudFront |
| Azure | HTTPS-only enforcement, Azure Storage secure transfer required | App Service, Azure Storage |
| GCP | HTTPS enforcement, Google-managed in-transit encryption | Cloud Load Balancing, Cloud Storage |
Common findings: S3 bucket policies missing aws:SecureTransport condition, load balancers allowing HTTP, APIs without TLS enforcement
Audit and Accountability (AU) — 9 Controls
AU.2.041 — Ensure system activities can be associated with individual users
Requirement: Audit events are attributable to individual users.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail with user identity in every event, IAM user vs. assumed role tracking | CloudTrail |
| Azure | Azure Activity Log with user identity, Azure AD sign-in logs | Activity Log, Azure AD |
| GCP | Cloud Audit Logs with principal (user/service account) in every log entry | Cloud Audit Logs |
Common findings: Shared IAM users (no individual attribution), missing CloudTrail in some regions, data plane events not logged
AU.2.042 — Create and retain system audit logs and records to the extent needed to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity
Requirement: Audit logs retained for sufficient period (DoD requires 3 years).
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail logs to S3 with 3-year lifecycle policy, CloudWatch Logs retention settings | CloudTrail, S3, CloudWatch Logs |
| Azure | Log Analytics workspace retention (3 years), Diagnostic Settings to Storage Account | Log Analytics, Azure Monitor |
| GCP | Cloud Logging retention rules, log exports to Cloud Storage | Cloud Logging |
Common findings (73% of environments): Log retention set to default (90 days or less), CloudTrail not enabled in all regions, log integrity validation disabled
AU.2.043 — Review and update logged events
Requirement: Regularly review logged events to ensure appropriate coverage.
Operational control — PolicyCortex automates continuous review of log coverage and alerts on logging gaps.
AU.3.045 — Review audit logs to identify and investigate anomalous activity
Requirement: Audit log analysis to detect anomalous activity.
| Platform | Implementation | Services |
|---|---|---|
| AWS | GuardDuty for threat detection, Security Hub for aggregation, CloudWatch Insights for analysis | GuardDuty, Security Hub, CloudWatch |
| Azure | Microsoft Sentinel for SIEM/SOAR, Defender for Cloud alerts | Sentinel, Defender for Cloud |
| GCP | Security Command Center, Event Threat Detection, Chronicle integration | SCC, Chronicle |
AU.3.046 — Alert in the event of an audit logging process failure
Requirement: Alert when audit logging process fails or stops.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudWatch alarm on CloudTrail metric filter for logging stopped | CloudWatch, CloudTrail |
| Azure | Azure Monitor alert on Log Analytics heartbeat | Azure Monitor |
| GCP | Cloud Monitoring alert on logging export errors | Cloud Monitoring |
AU.3.048 — Collect audit information (e.g., logs) into one or more central repositories
Requirement: Centralized log management.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail Organization Trail, centralized CloudWatch Logs, Security Lake | CloudTrail, CloudWatch, Security Lake |
| Azure | Central Log Analytics workspace, Azure Monitor at management group level | Log Analytics, Azure Monitor |
| GCP | Aggregated log sinks at organization level | Cloud Logging, BigQuery |
Common findings: Per-account logging without aggregation, no central SIEM, logs in multiple locations without correlation
AU.3.049 — Protect audit information and audit tools from unauthorized access, modification, and deletion
Requirement: Audit logs are protected from tampering.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail log file validation, S3 Object Lock for log buckets, MFA Delete | CloudTrail, S3 |
| Azure | Log Analytics immutability, Write Once storage for archive logs | Log Analytics, Azure Storage |
| GCP | Cloud Logging write-protected audit logs, CMEK for log storage | Cloud Logging |
AU.3.050 — Limit management of audit logging to a subset of privileged users
Requirement: Only authorized privileged users can modify audit log configurations.
| Platform | Implementation | Services |
|---|---|---|
| AWS | SCP denying cloudtrail:StopLogging and cloudtrail:DeleteTrail for non-admin accounts | Organizations SCPs |
| Azure | Azure Policy deny effect on diagnostic settings modification | Azure Policy |
| GCP | Organization Policy constraints on audit log configuration | Organization Policy |
AU.3.051 — Correlate audit record review, analysis, and reporting processes for investigation
Requirement: Audit records from multiple sources can be correlated.
Addressed by centralized logging and SIEM integration (AU.3.048). For CMMC assessment evidence, PolicyCortex provides correlated audit records across all control families.
Configuration Management (CM) — 9 Controls
CM.2.061 — Establish and maintain baseline configurations and inventories of organizational systems
Requirement: Documented baseline configurations for all in-scope systems.
| Platform | Implementation | Services |
|---|---|---|
| AWS | AWS Config baseline rules, Systems Manager Inventory, IaC (Terraform/CDK) | AWS Config, SSM |
| Azure | Azure Policy baselines, Azure Resource Graph inventory | Azure Policy, Resource Graph |
| GCP | Config Connector, Organization Policy constraints | Config Connector |
Common findings: Resources created outside IaC pipelines (63% of environments), no automated baseline enforcement (71%), configuration drift from documented baseline
CM.2.062 — Establish and maintain security configuration settings
Requirement: Security configuration settings documented and enforced.
| Platform | Implementation | Services |
|---|---|---|
| AWS | AWS Config managed rules for security baseline, Security Hub standards | AWS Config, Security Hub |
| Azure | Azure Security Benchmark via Defender for Cloud | Defender for Cloud |
| GCP | Security Command Center security health analytics, Organization Policies | SCC, Organization Policy |
CM.2.063 — Address and document information security-relevant software and firmware updates
Requirement: Patching and updates managed systematically.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Systems Manager Patch Manager, EC2 Image Builder for AMI updates | SSM Patch Manager, EC2 Image Builder |
| Azure | Azure Update Manager, Defender for Cloud patching recommendations | Azure Update Manager |
| GCP | OS Patch Management, Container Analysis for container vulnerabilities | OS Config, Artifact Registry |
CM.2.064 — Establish and enforce security configuration settings for information technology products employed in organizational systems
Requirement: Vendor-recommended security configurations applied.
Assessed against CIS Benchmarks for AWS/Azure/GCP and platform-specific security baselines.
CM.2.065 — Track, review, approve, and log changes to systems
Requirement: Change management process for system modifications.
| Platform | Implementation | Services |
|---|---|---|
| AWS | CloudTrail for change tracking, Config rules for change validation, IAM conditions for approval gates | CloudTrail, Config |
| Azure | Activity Log for all changes, Azure DevOps approval gates, RBAC change controls | Activity Log, Azure DevOps |
| GCP | Cloud Audit Logs for all resource changes, Binary Authorization for deployment approvals | Cloud Audit Logs, Binary Authorization |
Common findings: Change management policy not applied to cloud configuration changes (58% of environments)
Identification and Authentication (IA) — 11 Controls
IA.1.076 — Identify organizational users, processes acting on behalf of users, and devices
Requirement: All system entities have unique identifiers.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM users and roles with unique IDs, VPC endpoint IDs for network identity | IAM |
| Azure | Azure AD user/service principal unique ObjectIDs | Azure AD |
| GCP | Google Identity unique user IDs, service account email addresses | Cloud IAM |
IA.1.077 — Authenticate organizational users, processes acting on behalf of users, and devices before allowing access
Requirement: Authentication required for all access.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM credential authentication (password + MFA or access keys + session tokens) | IAM, STS |
| Azure | Azure AD authentication with MFA enforcement | Azure AD |
| GCP | Google Identity authentication, Workload Identity Federation | Cloud IAM |
IA.2.078 — Enforce a minimum password complexity and change requirements
Requirement: Password policy enforces complexity requirements.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM password policy (min 14 chars, complexity required per NIST 800-171) | IAM password policy |
| Azure | Azure AD password complexity requirements, Banned Password List | Azure AD |
| GCP | Organization-level password policies via Admin console | Cloud Identity |
IA.2.079 — Prohibit password reuse for a specified number of generations
Requirement: Password history enforced to prevent reuse.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM password policy: password reuse prevention (24 generations) | IAM password policy |
| Azure | Azure AD password history enforcement | Azure AD |
| GCP | Password reuse prevention via Admin console | Cloud Identity |
IA.2.080 — Allow temporary password use for system logons with immediate change requirement
Requirement: Temporary passwords expire and require change on first use.
Addressed by IdP configuration — IAM, Azure AD, and Google Identity all support forced password reset on first login.
IA.2.081 — Employ cryptographically-secured passwords
Requirement: Passwords stored using cryptographically secure hashing.
Addressed by platform identity providers — AWS IAM, Azure AD, and Google Identity all use secure password hashing. Assessed for any custom authentication implementations.
IA.3.082 — Employ multifactor authentication for local and network access to privileged accounts
Requirement: MFA required for all privileged account access.
| Platform | Implementation | Services |
|---|---|---|
| AWS | MFA required for console access via IAM policy condition (aws:MultiFactorAuthPresent), root account MFA mandatory | IAM, root account |
| Azure | Conditional Access MFA for privileged roles, MFA Registration Policy | Azure AD Conditional Access |
| GCP | 2-Step Verification enforcement via Admin console, 2SV for privileged identities | Cloud Identity |
Common findings (61% of environments): IAM users with console access and no MFA enforcement, root account without MFA, MFA policy exists but not enforced via IAM condition
IA.3.083 — Employ multifactor authentication for local and network access to non-privileged accounts
Requirement: MFA required for all user accounts (not just privileged).
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM policy condition requiring MFA for all users, enforcement SCP | IAM, Organizations |
| Azure | Conditional Access MFA for all users | Azure AD Conditional Access |
| GCP | 2-Step Verification enforcement for all users | Cloud Identity Admin |
IA.3.085 — Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts
Requirement: Authentication mechanisms resist replay attacks.
Addressed by platform-level authentication — all major cloud providers use modern authentication protocols (OAuth 2.0, SAML 2.0) that include replay protection mechanisms.
IA.3.086 — Disable identifiers after a defined period of inactivity
Requirement: Unused accounts are disabled.
| Platform | Implementation | Services |
|---|---|---|
| AWS | IAM credential report + AWS Config rule for unused credentials (90+ days), automated disable | IAM Credential Report, Config |
| Azure | Azure AD access reviews, stale account detection | Azure AD Access Reviews |
| GCP | Policy Intelligence: unused access recommendations | Cloud IAM, Policy Intelligence |
Common findings (52% of environments): Active IAM users with last activity > 90 days, unused service account keys not rotated or disabled
System and Communications Protection (SC) — 16 Controls
SC.1.175 — Monitor, control, and protect communications at external boundaries and key internal boundaries
Requirement: Network communications monitored and controlled at boundaries.
| Platform | Implementation | Services |
|---|---|---|
| AWS | VPC security groups, NACLs, AWS Network Firewall, VPC Flow Logs | VPC, Network Firewall |
| Azure | NSGs, Azure Firewall, DDoS Protection, NSG Flow Logs | VNet, Azure Firewall |
| GCP | VPC firewall rules, Cloud Armor, VPC Flow Logs | VPC, Cloud Armor |
Common findings (52% of environments): VPC Flow Logs not enabled, no WAF on externally accessible applications (67%), overly permissive security groups (58%)
SC.1.176 — Implement subnetworks for publicly accessible system components
Requirement: Publicly accessible systems separated in dedicated subnets.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Public/private subnet architecture, internet-facing resources in public subnets only | VPC |
| Azure | Public subnet with NSG, Application Gateway/WAF in DMZ subnet | VNet |
| GCP | Public subnet isolation, external load balancer in separate network tier | VPC |
SC.3.177 — Employ FIPS-validated cryptography for CUI protection
Requirement: FIPS 140-2 validated cryptographic modules for CUI.
| Platform | Implementation | Services |
|---|---|---|
| AWS | FIPS endpoints available for most services (use *.fips.amazonaws.com endpoints), GovCloud default | Service endpoints, GovCloud |
| Azure | Azure Government FIPS compliance, FIPS-validated modules in Gov regions | Azure Government |
| GCP | FIPS 140-2 validated cryptography available; GCP Assured Workloads for compliance | Assured Workloads |
SC.3.178 — Prohibit remote activation of collaborative computing devices and provide indication of use
Requirement: Remote activation of cameras, mics prevented; presence indicators shown.
Primarily an endpoint control. Cloud assessment context: ensure no cloud-connected collaboration tools (video APIs, etc.) are configured to enable recording without participant indication.
SC.3.183 — Deny network communications traffic by default and allow by exception
Requirement: Default deny network policy.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Security group default deny, NACL default deny for inbound | VPC Security Groups, NACLs |
| Azure | NSG default deny rule (priority 65500 DenyAllInBound) | NSGs |
| GCP | VPC default firewall rules — implied deny for ingress | VPC Firewall |
Common findings: Security groups with 0.0.0.0/0 allow rules for broad port ranges, missing explicit deny rules
System and Information Integrity (SI) — 7 Controls
SI.1.210 — Identify, report, and correct information and information system flaws in a timely manner
Requirement: Vulnerability management and patching.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Inspector for vulnerability scanning, Systems Manager Patch Manager | Inspector, SSM |
| Azure | Defender for Cloud vulnerability assessment, Microsoft Defender for Endpoint | Defender for Cloud |
| GCP | Security Command Center vulnerabilities, Container Analysis | SCC, Artifact Registry |
SI.1.211 — Provide protection from malicious code at appropriate locations
Requirement: Anti-malware controls deployed.
| Platform | Implementation | Services |
|---|---|---|
| AWS | GuardDuty malware protection, Inspector agent for EC2 | GuardDuty, Inspector |
| Azure | Defender for Servers (Microsoft Defender Antivirus), Defender for Containers | Defender for Cloud |
| GCP | Shielded VMs, Container Analysis, Security Command Center threats | SCC, Shielded VMs |
SI.2.214 — Monitor system security alerts and advisories and take action in response
Requirement: Security advisories monitored and acted upon.
| Platform | Implementation | Services |
|---|---|---|
| AWS | Security Hub aggregating GuardDuty, Inspector, Config findings | Security Hub |
| Azure | Defender for Cloud security alerts | Defender for Cloud |
| GCP | Security Command Center findings | SCC |
SI.2.216 — Monitor organizational systems to detect attacks and indicators of compromise
Requirement: Continuous monitoring for attacks and IOCs.
| Platform | Implementation | Services |
|---|---|---|
| AWS | GuardDuty, VPC Flow Logs analysis, CloudTrail anomaly detection | GuardDuty, CloudTrail |
| Azure | Microsoft Sentinel, Defender for Cloud | Sentinel, Defender for Cloud |
| GCP | Event Threat Detection, Chronicle SIEM | SCC, Chronicle |
Incident Response (IR) — 3 Controls
IR.2.092 — Establish an operational incident-handling capability
Requirement: Incident response capability exists and is operational.
Addressed through DFARS 72-hour reporting compliance and documented IR procedures. PolicyCortex supports incident detection, documentation, and timeline tracking.
IR.2.093 — Track, document, and report incidents to designated officials
Requirement: Incidents tracked and reported per requirements.
For DFARS-covered incidents: report to DoD via DIBNet Portal within 72 hours. PolicyCortex generates structured incident documentation for DIBNet submission.
IR.3.098 — Test the organizational incident response capability
Requirement: IR capability tested periodically.
Tabletop exercise and simulation requirement — PolicyCortex provides incident scenario simulation data and response timeline analytics.
Download the Complete Mapping
The downloadable version of this mapping includes:
- All 110 controls with detailed implementation guidance
- Specific configuration examples for each cloud provider
- PolicyCortex automation coverage indicators
- Assessment evidence requirements per control
Download Full NIST 800-171 Control Mapping (PDF)
Related Resources
Ready to automate compliance enforcement?
PolicyCortex continuously maps your cloud environment against CMMC, NIST 800-171, and FedRAMP controls — evidence assembles itself.