Guide to NIST Rules in the Compliance Center

This table defines the NIST rules covered in FileCloud's Compliance Center, explains what steps you must take to be in compliance, and describes how FileCloud validates each rule.

Rule (click to see text)	Description		Validation
Access Control 3.1.1	Choose a DLP rule to restrict public sharing of CUI.	To guard against unauthorized access to CUI: Click the edit button, and select a DLP rule that blocks public shares. Change any existing public shares to private.	If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.
Access Control 3.1.8	Configure password settings to limit unsuccessful logon attempts.	To set a limit on unsuccessful logon attempts: Go to Settings > Misc > Password. Configure the setting as follows: Incorrect Attempts Before Account Lockout - a value greater than 0.	If the Incorrect Attempts Before Account Lockout setting is set as indicated, then status is OK; if not, status is Issues.
Access Control 3.1.18	Set up a workflow that blocks the connection of a new mobile device until it is approved.	To set up a workflow to block the connection of a new mobile device: Go to Workflow > Add Workflow and choose If any new client app connects > Block the device for admin approval. For information about this workflow, see: Admin Approval Required Workflow	If the workflow does not exist or is not enabled, the status is Issues.
Audit and Accountability 3.3.1	Set the audit logging level.	To monitor log-in attempts: Go to Settings > Admin, and set Audit Logging Level to REQUEST or FULL.	If Audit Logging Level is set to OFF, status is Issues.
Audit and Accountability 3.3.3	Confirm admin knows how to use and manage audit reports.	Enable this rule to confirm admin understands audit logs and has a process to regularly review audit records and remove unwanted records.	None
Audit and Accountability 3.3.8	Confirm admin understands how to disable the deletion of audit records.	To disable deletion of audit records see Delete Audit Log Entries.	None
Audit and Accountability 3.3.9	Give at least one admin user access to the Audit Reports.	To enable at least one admin user to access the Audit Reports: Go to Admins and create a role with read access to the Audit Reports. Add at least one user to the role.	If one or more users have access to the Audit Reports, the status is OK; if not, the status is Issues.
Configuration Management 3.4.2	Confirm admin understands security settings and knows how to implement reCaptcha, 2FA, and password policies.	Enable this rule to confirm that admin can implement reCaptcha, 2FA, and password policies.	None
Configuration Management 3.4.7	Confirm admin knows how to disable or change non-essential ports and services.	Enable this rule to confirm that admin can disable or change non-essential ports and services. For information about changing default port or web server settings in FileCloud, see: Changing a Default Port or Web Server Setting.	None
Identification and Authentication 3.5.2	Configure and enable the Authentication Type as Active Directory or LDAP or enable SSO.	To authenticate users during login: Go to Settings > Authentication, and set Authentication Type to Active Directory or LDAP. To enable SSO, see: SAML Single Sign-On Support	If Authentication Type is set to Default and SSO is not enabled, status is Issues.
Identification and Authentication 3.5.7	Set up strong password management.	To set regulations for strong password management: Go to Settings > Misc > Password. Configure the settings as follows: Password Length - 8 or more. Enable Strong Passwords - check. Disallow Commonly Used Passwords - check. User Password Expires In Days - a value greater than 0.	If the password settings are set as indicated, status is OK; if not, status is Issues.
Identification and Authentication 3.5.8	Disallow the reuse of previous passwords.	To disallow the reuse of previous passwords: Go to Settings > Misc > Password. Configure the setting as follows: Number of Previous Passwords that cannot be reused - a value greater than 0.	If Number of Previous Passwords that cannot be reused is set as indicated, then status is OK; if not, status is Issues.
Identification and Authentication 3.5.9	Require new accounts to change passwords.	To require new accounts to change passwords: Go to Settings > Misc > Password. Configure the setting as follows: New accounts must change password - check.	If New accounts must change password is set as indicated, then the status is OK; if not, the status is Issues.
Incident Response 3.6.1	Confirm admin knows how to use audit, alerts, violation reports, and event reports to create notification reports.	Enable this rule to confirm that admin knows how to use audit logs, alerts and violation reports to generate breach notifications.	None
Maintenance 3.7.4	Configure anti-virus protection against malicious file uploads.	To protect CUI from malicious file uploads: Go to Settings > Third Party Integrations > Anti-Virus. Configure an Anti-Virus type.	If Anti-Virus is configured, status is OK; if not, status is Issues.
Media Protection 3.8.4	Choose a metadata set to classify controlled unclassified information	To indicate which files are CUI, click the edit button and select a metadata set with a tag for identifying them. (Use smart classification to apply the metadata tag to the CUI.)	If the metadata set exists and is enabled, status is OK; if not, status is Issues.
Media Protection 3.8.6	Configure and enable encryption.	To maintain security: Configure storage encryption. Go to Settings > Storage > Encryption and enable encryption. Encrypt all existing files. See Setting Up Managed Storage Encryption in the support document.	If storage is not fully encrypted or any existing files are not fully encrypted, status is Issues.
Systems and Communications Protection 3.13.3	Give at least one user in an admin role access to the Compliance Center.	To enable at least one user to manage the Compliance Center: Go to Admins and create a role with Compliance access to the Compliance Center. In Admins, add at least one user to the role with access to the Compliance Center.	If one or more users have access to the Compliance Center, status is OK; if not, status is Issues.
Systems and Communications Protection 3.13.4	Choose a DLP rule that only allows private sharing.	To guard against unauthorized access to CUI: Click the edit button, and select a DLP rule that blocks public shares. Change any existing public shares to private.	If the DLP rule exists and is enabled and there are no existing public shares, status is OK; if not, or if modifications to the rule allow public shares, status is Issues.
Systems and Communications Protection 3.13.9	Set session timeout for the user portal.	To confirm automatic logoff of sessions: Go to Settings > Server, and set Session Timeout to a value greater than 0.	If Session Timeout is set to 0 or empty, status is Issues.
Systems and Communications Protection 3.13.10	Confirm decryption keys are confidential.	To confirm that decryption keys are confidential, enable this rule.	None
System and Information Integrity 3.14.1	Enable Governance Report Email to send the admin an email reminder to check audit logs, reports, and security issues regularly.	To implement procedures to regularly review records such as audit logs and violation report: Enable Send Admin Governance Report Emails option in Admin settings.	If the Send Admin Governance Report Emails setting is enabled, status is OK; if not, status is Issues.