Date Published: April 2021
Comments Due: June 11, 2021 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov
, ,
The protection of controlled unclassified information (CUI) in nonfederal systems and organizations—especially CUI associated with a critical program or high value asset—is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. To determine if the enhanced security requirements in NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, have been satisfied, organizations develop assessment plans and conduct assessments.
Draft NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST SP 800-172. The generalized assessment procedures are flexible, provide a framework and starting point to assess the enhanced security requirements, and can be tailored to the needs of organizations and assessors. Organizations tailor the assessment procedures by selecting specific assessment methods and objects to achieve the assessment objectives and by determining the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can be employed in self-assessments, independent third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or in agreements by participating parties. The findings and evidence produced during assessments can be used by organizations to facilitate risk-based decisions related to the CUI enhanced security requirements. In addition to developing determination statements for each enhanced security requirement, Draft NIST SP 800-172A introduces an updated structure to incorporate organization-defined parameters into the determination statements.
NIST is seeking feedback on the assessment procedures, including the assessment objectives, determination statements, and the usefulness of the assessment objects and methods provided for each procedure. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives.
A public comment period for this document is open through June 11, 2021. We ask that you consider using the comment template for preparing and submitting your comments. For any questions, please contact sec-cert@nist.gov.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
None selected
Publication:
SP 800-172A (Draft) (DOI)
Local Download
Supplemental Material:
Comment template (xls)
Document History:
04/27/21: SP 800-172A (Draft)
03/15/22: SP 800-172A (Final)
Security and Privacy
advanced persistent threats; controls assessment; security controls
Laws and Regulations
Federal Information Security Modernization Act; OMB Circular A-130