New updates and additions to compliance requirements are as regular as the rising and setting of the sun. Recently, The National Institute of Standards and Technology (NIST) released a companion publication to NIST 800-171 that provides guidance on how organizations can assess the CUI requirements in NIST 800-171, known as SP 800-171A.
The purpose of this release was to help non-federal organizations comply with SP 800-171 by providing guidance on creating assessment plans and performing assessments to meet the security requirements. The primary focus of NIST SP 800-171 was to create a set of security requirements to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. The requirements are mandatory for DOD contractors because the requirement are referenced in the DFARS.
There were five areas where non-federal organizations needed direction in order to be compliant with NIST SP 800-171. SP 800-171A addressed those areas, which are as follows:
- Identify potential problems or shortfalls in the organization’s security and risk management programs
- Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate
- Prioritize risk mitigation decisions and activities
- Confirm that identified security weaknesses and deficiencies in the system and in the environment of operation have been addressed
- Support continuous monitoring activities and provide information security situational awareness.
In the original NIST Special Publication 800-171, security requirements were broken down into fourteen families that contained the security requirements for each family group. The family groups are listed below:
CUI Security Requirement Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
In order to clarify the method to help assessors evaluate against these requirements, NIST provided recommendations in NIST SP 800-171A. These methods include Examine, Interview and Test.
- The Examine method involves reviewing, inspecting, observing, studying or analyzing the different assessment objects in areas of specifications, mechanisms and activities. This is meant to help the assessor gain clarification and understanding as well as possibly gather evidence on the present level of compliance.
- The Interview part of the process includes holding discussions with the parties who have responsibilities for the assessment objects in question. This also is meant to help the assessor gain clarification, understanding or evidence as needed.
- The Test method is considered the process by which assessment objects are measured and compared against the expected behavior and/or compliance.
All three methods of assessment are recommended to help make the determination for compliance against the requirements listed in the security families.
Chapter Three of NIST SP 800-171A gives a much more detailed breakout of the assessment procedures, methods and objects to be used for the CUI security requirements. NIST does provide some flexibility on the level of detail to be used for an assessment based upon the different assurance requirements of the particular organization. Appendix D provides the necessary clarification of the level of detail required.
As always, Tripwire is here to help with compliance requirements. Tripwire provides the means by which a company can measure how they would fare when the Examine, Interview and Test methods are used to check their compliance.