Date Published: March 2022
Planning Note (04/13/2022):
The assessment procedures in SP 800-172A are available in multiple data formats. The PDF of SP 800-172A is the authoritative source of the assessment procedures. If there are any discrepancies noted in the content between the CSV, XLSX, and the SP 800-172A PDF, please contact sec-cert@nist.gov and refer to the PDF as the normative source.
Author(s)
Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST)
The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. This publication provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The assessment procedures are flexible and can be tailored to the needs of organizations and assessors. Assessments can be conducted as 1) self-assessments; 2) independent, third-party assessments; or 3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on customer-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements.
The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. This publication provides...
See full abstract
The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. This publication provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The assessment procedures are flexible and can be tailored to the needs of organizations and assessors. Assessments can be conducted as 1) self-assessments; 2) independent, third-party assessments; or 3) government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on customer-defined depth and coverage attributes. The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements.
Hide full abstract
Keywords
assessment; assessment method; assessment object; assessment procedure; assurance; enhanced security requirement; enhanced security requirement assessment; Controlled Unclassified Information; coverage; CUI Registry; depth; Executive Order 13556; FISMA; NIST Special Publication 800-53; NIST Special Publication 800-53A; NIST Special Publication 800-171; NIST Special Publication 800-172; NIST Special Publication 800-172A; nonfederal organization; nonfederal system; security assessment; security control
Control Families
None selected