U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-172A (Draft)

Assessing Enhanced Security Requirements for Controlled Unclassified Information

Date Published: April 2021
Comments Due: June 11, 2021 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Author(s)

Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST)

Announcement

The protection of controlled unclassified information (CUI) in nonfederal systems and organizations—especially CUI associated with a critical program or high value asset—is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions and business operations. To determine if the enhanced security requirements in NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, have been satisfied, organizations develop assessment plans and conduct assessments.

Draft NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST SP 800-172. The generalized assessment procedures are flexible, provide a framework and starting point to assess the enhanced security requirements, and can be tailored to the needs of organizations and assessors. Organizations tailor the assessment procedures by selecting specific assessment methods and objects to achieve the assessment objectives and by determining the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can be employed in self-assessments, independent third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or in agreements by participating parties. The findings and evidence produced during assessments can be used by organizations to facilitate risk-based decisions related to the CUI enhanced security requirements. In addition to developing determination statements for each enhanced security requirement, Draft NIST SP 800-172A introduces an updated structure to incorporate organization-defined parameters into the determination statements.

NIST is seeking feedback on the assessment procedures, including the assessment objectives, determination statements, and the usefulness of the assessment objects and methods provided for each procedure. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives.

A public comment period for this document is open through June 11, 2021. We ask that you consider using the comment template for preparing and submitting your comments. For any questions, please contact sec-cert@nist.gov.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

Assessment; Assessment Method; Assessment Object; Assessment Procedure; Assurance; Enhanced Security Requirement; Controlled Unclassified Information; Coverage; CUI Registry; Depth; Executive Order 13556; FISMA; NIST Special Publication 800-53; NIST Special Publication 800-53A; Nonfederal Organization; Nonfederal System; Security Assessment; Security Control
Control Families

None selected

Documentation

Publication:
SP 800-172A (Draft) (DOI)
Local Download

Supplemental Material:
Comment template (xls)

Document History:
04/27/21: SP 800-172A (Draft)