Today, NIST is releasing Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information (CUI). This publication is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the CUI security requirements defined in SP 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This objective is accomplished by:
- Providing flexible and tailorable assessment procedures for the CUI security requirements;
- Defining assessment objectives to help guide and inform the assessment;
- Specifying assessment methods that can be used to generate evidence and produce findings and results;
- Describing a set of assessment objects to which the methods can be applied;
- Facilitating different levels of assurance in security assessments by varying the scope and rigor of the assessment through selectable depth and coverage attributes; and
- Providing a discussion section for each CUI security requirement to explain the requirement and to facilitate more effective assessments.