The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines—including minimum requirements for federal information systems. At the end of February, NIST released its Final Draft of Special Publication (SP) 800-171A—Assessing Security Requirements for Controlled Unclassified Information.

First proposed in November 2017, the publication means to provide agencies and contractors with guidance regarding how to conduct assessments under the prominent cybersecurity standard NIST SP 800-171—Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This standard acts as the foundation for how contractors must protect all forms of Controlled Unclassified Information (CUI).

NIST’s Goals for the Final Draft of SP 800-171A

NIST’s intention with this most recent publication is to help organizations develop assessment plans and conduct efficient and cost-effective assessments of the security requirements under SP 800-171. NIST believes that the Final Draft achieves this goal by:

  • Providing flexible and tailorable assessment procedures for the CUI security requirements
  • Defining assessment objectives to help guide and inform assessments of CUI security requirements
  • Specifying assessment methods that can be used to generate evidence and produce findings and results
  • Describing a set of assessment objects to which the methods can be applied
  • Facilitating different levels of assurance in security assessments by varying the scope and rigor of the assessment through selectable depth and coverage attributes
  • Providing additional discussion to explain and interpret the CUI security requirements

The Final Draft of SP 800-171A Compared to the Previous Version

Much of the substance of SP 800-171A remains unchanged from the previous version released in November 2017. NIST intends for this Final Draft to act as a “starting point for developing assessment plans and approaches that can produce the level of evidence needed for risk-based decisions or to determine compliance to the CUI security requirements.” The Final Draft also groups assessments procedures by 14 families of security control requirements and highlights how an assessor could examine, interview or test each particular control at issue.

In response to initial comments requesting sample System Security Plan templates, the Final Draft explained that NIST would post samples to its Computer Security Resource Center. True to its word, NIST has posted these sample templates and additional templates for Plan of Action and Milestone documents. The period for comments remains open until March 23, 2018.

If you have any questions about SP 800-171A and how it can affect your business, please feel free to contact this post’s author, Todd Overman.