NIST SP 800-171A Assessment: Finalized Assessment Objectives Foster a Roadmap to Compliance

July 13, 2018, Mandy Pote, Senior Consultant, Cyber Risk Services, Coalfire

On June 13, 2018, NIST formally released their Special Publication (SP) 800-171A, Assessing Security Requirements Controlled Unclassified Information (CUI).This publication provides organizations with an assessment methodology to evaluate their compliance with the CUI security requirements defined in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which went into effect on December 31, 2017.

NIST SP 800-171 Requirements

As my colleague Mali Yared discussed in a prior post, the NIST SP 800-171 publication identifies 110 security requirements divided into 14 security families. These requirements are designed to protect the confidentiality of CUI data. However, most security professionals acknowledge that these requirements can be rather loose and highly subject to the interpretation of the reader.

For example, let’s consider requirement 3.10.5: Control and manage physical access devices. As written, organizations have considerable latitude to define their own levels of “control” and the policies and procedures that are to be put in place to “manage” devices. As a result, the requirements alone hold very little weight in terms of security and compliance.

Assessment Objectives

Now that the NIST SP 800-171A Assessment publication is here, NIST has provided more structure and stringency to its sister publication. Within NIST SP 800-171A, each CUI security requirement consists of one or more assessment objectives, all of which must be met to comply with the requirement.

For example: 3.10.5: Control and manage physical access devices:

Assessment Objectives: Determine if:

3.10.5[a]: physical access devices are identified.

3.10.5[b]: physical access devices are controlled.

3.10.5[c]: physical access devices are managed.

Each assessment objective has a set of potential assessment methods: Examine, Interview, and/or Test. Organizations and assessors have the flexibility to determine the level of effort needed and the assurance required to meet each objective. Assessment objectives are achieved by applying the designed assessment method(s) to determine if the requirement is Satisfied or Other Than Satisfied.

Using the example above: 3.10.5[a]: physical access devices are identified:

The assessor may choose to:

Examine: List of physical access devices

Interview: Key stakeholders (i.e., Data Center Manager, Physical Access Manager)

Test: Mechanism to identify and track physical access devices

Preparing for Compliance

As noted in the new publication, the assessment procedures are still flexible in nature and can be customized to the needs of the organizations and the assessors conducting the assessments. Security assessments can be conducted as a) self-assessments b) independent, third-party assessments, or c) government-sponsored assessments, all of which can be applied with various degrees of rigor based on customer-defined depth and coverage attributes. Regardless of the approach, following the NIST SP 800-171A will allow the organization to ensure better security of CUI data, identify more specific gaps, and create a roadmap to compliance.

If your organization is electing to use a third-party assessor, it is ultimately up to the assessor’s professional judgment which assessment methods are selected. However, here are a few ways to prepare for success with any assessor.

  • Keep your System Security Plan (SSP) as up to date as possible. Any requirements that are “Partially Implemented” or “Not Implemented” must be tracked in your Plan of Action and Milestones (POAM). These are the two most important documents for your compliance with NIST SP 800-171. And remember, the Department of Defense (DoD) and prime contractors reserve the right to obtain these documents as part of their contract determination process.
  • While most organizations have an Incident Response Plan (IRP), many fail to include the necessary instructions related to responding to breaches of CUI data. DFARS 252.204-7012 includes specific requirements related to reporting capabilities, which must be documented in the IRP. In addition, ensure that the IRP is periodically tested and that roles responsible for handling and reporting CUI breaches are properly trained.
  • A Data Classification Policy should define CUI and its criticality to the business. Supporting Data Handling Guidelines should state the data lifecycle (Create, Store, Use, Share, Archive, Destroy) and describe how CUI is handled and protected. These guidelines should be communicated to all users in the boundary as part of onboarding training and at least annually thereafter.
  • Formally identifying and documenting aspects of the environment is essential to meeting several NIST SP 800-171A assessment objectives. For example, your organization should formally identify accounts (i.e., user, privileged, system), authorized connections (external and internal), and storage media (paper and digital).

One final reminder: At this time, there is no requirement for a formal, independent, attestation, or assessment requirement for NIST SP 800-171 by the DoD or any other government agency. However, a NIST SP 800-171A Assessment can be utilized by organizations who want to demonstrate compliance and due diligence to their prime contractors or by those who want to strengthen their overall security and compliance program.

References:

The NIST SP 800-171A and related publications /material can be found here:

https://csrc.nist.gov/publications/detail/sp/800-171a/final#pubs-abstract-header

Supporting blog publications:

https://www.coalfire.com/The-Coalfire-Blog/February-2018/NIST-SP-800-171-What-U-S-Government-Contractors

https://www.coalfire.com/The-Coalfire-Blog/March-2018/DFARS-7012-Compliance

Mandy Pote

Author

Mandy Pote — Senior Consultant, Cyber Risk Services, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS