NIST 800-171 3.1.2: Transaction and Function Control
Transaction and function control is your primary defense against privilege creep and unauthorized actions within your systems. This NIST 800-171 requirement ensures authorized users can only execute the specific transactions and functions their role demands. Without it, any authenticated user becomes a potential attack vector.
What this means
This control requires you to enforce granular access restrictions that map user privileges to specific system transactions and functions. Rather than granting blanket system access, you must define exactly what each user role can do—what transactions they can initiate, what data they can modify, what functions they can execute. This creates a principle of least privilege at the transaction level, preventing lateral movement and misuse even when credentials are compromised.
How to comply
- 1.Document all critical system transactions and functions in your environment
- 2.Define user roles and map each role to only the transactions and functions required for their job
- 3.Configure access control lists (ACLs) and role-based access control (RBAC) to enforce these restrictions at the application and system levels
- 4.Implement application-level controls that prevent unauthorized function calls and transaction types
- 5.Test that users cannot execute functions outside their assigned scope
- 6.Audit and review transaction logs to verify controls are enforced
- 7.Maintain a matrix linking roles to permitted transactions and update it when job responsibilities change
Evidence auditors look for
- Role-based access control (RBAC) configuration documents showing which roles can execute which transactions
- Application access control matrices defining user permissions by transaction type
- Screenshots of system settings showing function-level restrictions per user role
- Transaction audit logs demonstrating that unauthorized function calls are blocked
- Change management records showing updates to role-to-transaction mappings
- Procedure documentation for granting and revoking transaction-level permissions
- Security test results showing failed attempts to execute out-of-scope transactions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps user roles to system functions, generates role-based access matrices, and produces audit-ready evidence of transaction control enforcement—eliminating manual spreadsheet maintenance and audit preparation.
See how GRCWatch handles this control automatically
Start free trial