NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) outlines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It includes controls for access control, incident response, and data protection, helping contractors and organizations meet federal security standards, reduce risk, and ensure the confidentiality of sensitive government-related information.
Access Controls | ||||||
---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Account Management | 3.1.1, 3.1.2 |
| ||||
Access Enforcement | 3.1.1, 3.1.2 | Teleport supports robust role-based access controls (RBAC). RBAC can be used to:
| ||||
Unsuccessful Logon Attempts | 3.1.8 | Teleport supports two types of users: local and SSO-based accounts (GitHub, Google Apps, Okta, etc). For local accounts, by default, Teleport locks accounts for 30 minutes after 5 failed login attempts. For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider. | ||||
System Use Notifications | 3.1.9 | Teleport integrates with Linux Pluggable Authentication Modules (PAM). PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive. | ||||
Session Termination | 3.1.11 | Teleport user sessions are automatically terminated when a certificate expires. Users can exit a Teleport interactive session at any time by typing `exit` or sending an interrupt signal to the process for remote execution of a program. Logout of all sessions (destroying credentials) indicates termination of all sessions and includes an explicit logout message. | ||||
Remote Access | 3.1.12, 3.1.13, 3.1.14, 3.1.15 | Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity. | ||||
Use of External Information Systems | 3.1.20, 3.1.21, 3.1.22 | Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access. |
Audit & Accountability | ||||||
---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Audit & Accountability | 3.3.1, 3.3.2 | Teleport contains an Audit Log that records cluster-wide events such as:
Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message. Teleport supports sending audit events to external managed services such as S3 and DynamoDB where storage concerns are handled by the cloud provider. | ||||
Non-Repudiation | 3.3.8 | Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes, a full session can be replayed back and viewed. |
Configuration Management | ||||||
---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Information System Component Inventory | 3.4.1, 3.4.2 | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |
Identification and Authentication | ||||||
---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
User Identification and Authentication | 3.5.1, 3.5.2 |
| ||||
Device Identification and Authentication | 3.5.1, 3.5.2 | Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components. | ||||
Identifier Management | 3.5.5, 3.5.6 | Teleport maintains several unique identifiers:
| ||||
Identification and Authentication (Non-Organizational Users) | 3.5.1, 3.5.2 | Teleport supports PIV-compatible hardware keys |
System and Communications Protection | ||||||
---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Network Disconnection | 3.13.11 | Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components. | ||||
Cryptographic Key Establishment and Management | 3.13.10 | Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed). | ||||
Use of Cryptography | 3.13.11 | Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto). In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography. | ||||
Public Key Infrastructure Certificates | 3.13.10 | Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed). | ||||
Session Authenticity | 3.13.3 | Teleport SSH and TLS sessions are protected with SSH user and X.509 client certificates. For access to the Web UI, Teleport uses bearer token auth stored in a browser token to authenticate a session. Upon user logout, SSH and TLS certificates are deleted from disk and cookies are removed from the browser. |