On June 13, 2018, NIST formally released their Special Publication (SP) 800-171A, Assessing Security Requirements Controlled Unclassified Information (CUI).This publication provides organizations with an assessment methodology to evaluate their compliance with the CUI security requirements defined in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which went into effect on December 31, 2017.
NIST SP 800-171 Requirements
As my colleague Mali Yared discussed in a prior post, the NIST SP 800-171 publication identifies 110 security requirements divided into 14 security families. These requirements are designed to protect the confidentiality of CUI data. However, most security professionals acknowledge that these requirements can be rather loose and highly subject to the interpretation of the reader.
For example, let’s consider requirement 3.10.5: Control and manage physical access devices. As written, organizations have considerable latitude to define their own levels of “control” and the policies and procedures that are to be put in place to “manage” devices. As a result, the requirements alone hold very little weight in terms of security and compliance.
Now that the NIST SP 800-171A Assessment publication is here, NIST has provided more structure and stringency to its sister publication. Within NIST SP 800-171A, each CUI security requirement consists of one or more assessment objectives, all of which must be met to comply with the requirement.
For example: 3.10.5: Control and manage physical access devices:
Assessment Objectives: Determine if:
3.10.5[a]: physical access devices are identified.
3.10.5[b]: physical access devices are controlled.
3.10.5[c]: physical access devices are managed.
Each assessment objective has a set of potential assessment methods: Examine, Interview, and/or Test. Organizations and assessors have the flexibility to determine the level of effort needed and the assurance required to meet each objective. Assessment objectives are achieved by applying the designed assessment method(s) to determine if the requirement is Satisfied or Other Than Satisfied.
Using the example above: 3.10.5[a]: physical access devices are identified:
The assessor may choose to:
Examine: List of physical access devices
Interview: Key stakeholders (i.e., Data Center Manager, Physical Access Manager)
Test: Mechanism to identify and track physical access devices
Preparing for Compliance
As noted in the new publication, the assessment procedures are still flexible in nature and can be customized to the needs of the organizations and the assessors conducting the assessments. Security assessments can be conducted as a) self-assessments b) independent, third-party assessments, or c) government-sponsored assessments, all of which can be applied with various degrees of rigor based on customer-defined depth and coverage attributes. Regardless of the approach, following the NIST SP 800-171A will allow the organization to ensure better security of CUI data, identify more specific gaps, and create a roadmap to compliance.
If your organization is electing to use a third-party assessor, it is ultimately up to the assessor’s professional judgment which assessment methods are selected. However, here are a few ways to prepare for success with any assessor.
- Keep your System Security Plan (SSP) as up to date as possible. Any requirements that are “Partially Implemented” or “Not Implemented” must be tracked in your Plan of Action and Milestones (POAM). These are the two most important documents for your compliance with NIST SP 800-171. And remember, the Department of Defense (DoD) and prime contractors reserve the right to obtain these documents as part of their contract determination process.
- While most organizations have an Incident Response Plan (IRP), many fail to include the necessary instructions related to responding to breaches of CUI data. DFARS 252.204-7012 includes specific requirements related to reporting capabilities, which must be documented in the IRP. In addition, ensure that the IRP is periodically tested and that roles responsible for handling and reporting CUI breaches are properly trained.
- A Data Classification Policy should define CUI and its criticality to the business. Supporting Data Handling Guidelines should state the data lifecycle (Create, Store, Use, Share, Archive, Destroy) and describe how CUI is handled and protected. These guidelines should be communicated to all users in the boundary as part of onboarding training and at least annually thereafter.
- Formally identifying and documenting aspects of the environment is essential to meeting several NIST SP 800-171A assessment objectives. For example, your organization should formally identify accounts (i.e., user, privileged, system), authorized connections (external and internal), and storage media (paper and digital).
One final reminder: At this time, there is no requirement for a formal, independent, attestation, or assessment requirement for NIST SP 800-171 by the DoD or any other government agency. However, a NIST SP 800-171A Assessment can be utilized by organizations who want to demonstrate compliance and due diligence to their prime contractors or by those who want to strengthen their overall security and compliance program.
The NIST SP 800-171A and related publications /material can be found here:
Supporting blog publications: