Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Background image
Compliance

Streamlining NIST 800-171 Compliance

What is NIST 800-171 compliance?

NIST Logo

NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) outlines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It includes controls for access control, incident response, and data protection, helping contractors and organizations meet federal security standards, reduce risk, and ensure the confidentiality of sensitive government-related information.

Need NIST 800-171 Help?

Get in touch

Teleport Features for NIST 800-171 Controls

Access Controls

Control Name

ID

Teleport Capability

Account Management

3.1.1, 3.1.2

  • Teleport integrates with SSO providers such as GitHub, Okta, Google, etc.
  • Teleport supports role-based access control (RBAC) for SSH and Kubernetes
  • Teleport certificate-based SSH and Kubernetes authentication and audit logging comply with these requirements without additional configuration.
  • Audit events are emitted when a user is created, updated, deleted, locked, or unlocked.

Access Enforcement

3.1.1, 3.1.2

Teleport supports robust role-based access controls (RBAC). RBAC can be used to:

  • Control which SSH nodes a user can or cannot access.
  • Control cluster-level configuration (session recording, configuration, etc.).
  • Control which UNIX logins a user is allowed to use when logging into a server.
  • Control which user groups have access to Kubernetes resources.

Unsuccessful Logon Attempts

3.1.8

Teleport supports two types of users: local and SSO-based accounts (GitHub, Google Apps, Okta, etc). For local accounts, by default, Teleport locks accounts for 30 minutes after 5 failed login attempts. For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider.

System Use Notifications

3.1.9

Teleport integrates with Linux Pluggable Authentication Modules (PAM). PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive.

Session Termination

3.1.11

Teleport user sessions are automatically terminated when a certificate expires. Users can exit a Teleport interactive session at any time by typing `exit` or sending an interrupt signal to the process for remote execution of a program. Logout of all sessions (destroying credentials) indicates termination of all sessions and includes an explicit logout message.

Remote Access

3.1.12, 3.1.13, 3.1.14, 3.1.15

Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity.

Use of External Information Systems

3.1.20, 3.1.21, 3.1.22

Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.

Audit & Accountability

Control Name

ID

Teleport Capability

Audit & Accountability

3.3.1, 3.3.2

Teleport contains an Audit Log that records cluster-wide events such as:

  • Failed login attempts
  • The command that was executed (SSH “exec” commands)
  • Ports that were forwarded
  • File transfers that were initiated
  • Filesystem changes
  • Network activity that happened during an interactive user session
  • Recorded interactive user sessions

Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message.

Teleport supports sending audit events to external managed services such as S3 and DynamoDB where storage concerns are handled by the cloud provider.

Non-Repudiation

3.3.8

Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes, a full session can be replayed back and viewed.

Configuration Management

Control Name

ID

Teleport Capability

Information System Component Inventory

3.4.1, 3.4.2

Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.

Identification and Authentication

Control Name

ID

Teleport Capability

User Identification and Authentication

3.5.1, 3.5.2

  • Teleport integrates with SSO providers such as GitHub, Okta, Google, etc.
  • Teleport can act as its own SSO provider
  • Teleport can enforce the use of multi-factor authentication (MFA), including requiring per-session MFA
  • Teleport supports PIV-compatible hardware keys

Device Identification and Authentication

3.5.1, 3.5.2

Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.

Identifier Management

3.5.5, 3.5.6

Teleport maintains several unique identifiers:

  • The local users are required to be unique (unique username)
  • Teleport roles have unique names and tied to organization roles via SSO
  • Teleport identifiers for devices are unique randomly generated IDs (UUID)

Identification and Authentication (Non-Organizational Users)

3.5.1, 3.5.2

Teleport supports PIV-compatible hardware keys

System and Communications Protection

Control Name

ID

Teleport Capability

Network Disconnection

3.13.11

Teleport requires valid X.509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.

Cryptographic Key Establishment and Management

3.13.10

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Use of Cryptography

3.13.11

Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto). In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.

Public Key Infrastructure Certificates

3.13.10

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue X.509 and SSH certificates. SSH and X.509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Session Authenticity

3.13.3

Teleport SSH and TLS sessions are protected with SSH user and X.509 client certificates. For access to the Web UI, Teleport uses bearer token auth stored in a browser token to authenticate a session. Upon user logout, SSH and TLS certificates are deleted from disk and cookies are removed from the browser.

Additional Resources

Blog Post

Securing Infrastructure in Healthcare: Reducing Breaches and Building Resiliency

Webinar

2024 Secure Infrastructure Access Report: Key Insights and Trends

Webinar

Hardening Infrastructure Security Against SSO Identity Provider Compromise

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started
pam