Date Published: November 9, 2023
Comments Due:
Email Comments to:
Author(s)
Ron Ross (NIST), Victoria Pillitteri (NIST)
Announcement
This initial public draft is being released along with NIST SP 800-171r3 fpd (final public draft).
In addition to reflecting the security requirements in NIST SP 800-171r3 fpd, the following significant changes have been made:
- Restructured the assessment procedure syntax to align with NIST SP 800-53A
- The addition of a references section to provide source assessment procedures from NIST SP 800-53A
- A one-time change to the publication version number (skipping “Revision 2”) to align with NIST SP 800-171r3
Submit Your Comments
The public comment period is open now through January 12, 2024. We strongly encourage you to use this comment template if possible, and submit it to 800-171comments@list.nist.gov.
Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171A, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:
- The alignment of the assessment procedures to NIST SP 800-53A
- The use of organization-defined parameters (ODPs) in the assessment procedures
- The ease-of-use of the assessment
Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
Please direct questions and comments to 800-171comments@list.nist.gov.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The assessment procedures are flexible and can be customized to the needs of organizations and assessors. Security assessments can be conducted as independent, third-party assessments or as government-sponsored assessments. The assessments can also be applied with various degrees of rigor based on customer-defined depth and coverage attributes. The findings and evidence produced during the assessments can facilitate risk-based decisions by organizations related to the security requirements.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication...
See full abstract
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The assessment procedures are flexible and can be customized to the needs of organizations and assessors. Security assessments can be conducted as independent, third-party assessments or as government-sponsored assessments. The assessments can also be applied with various degrees of rigor based on customer-defined depth and coverage attributes. The findings and evidence produced during the assessments can facilitate risk-based decisions by organizations related to the security requirements.
Hide full abstract
Keywords
assessment; assessment method; assessment object; assessment procedure; assurance; basic security requirement; controlled unclassified information; coverage; CUI registry; depth; Executive Order 13556; FISMA; NIST Special Publication 800-171; NIST Special Publication 800-53A; nonfederal organization; nonfederal system; security assessment; security control
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
