Death, Taxes and Compliance Updates – An Update to NIST 800-171

New updates to compliance requirements are as regular as the rising and setting of the sun. Recently, The National Institute of Standards and Technology (NIST) released an update to NIST SP 800-171, now known as SP 800-171A.

The purpose of this release was to help non-federal organizations comply with SP 800-171 by providing guidance on creating assessment plans and performing assessments to meet the security requirements. The primary focus of NIST SP 800-171 was to create a policy to handle unclassified information that requires protection. This is known as a Controlled Unclassified Information (CUI) program, and it applies to non-federal systems and organizations.

There were five areas where non-federal organizations needed direction in order to be compliant with NIST SP 800-171. SP 800-171A addressed those areas, which are as follows:

1. Identify potential problems or shortfalls in the organization’s security and risk management programs
2. Identify security weaknesses and deficiencies in its systems and in the environments in which those systems operate
3. Prioritize risk mitigation decisions and activities
4. Confirm that identified security weaknesses and deficiencies in the system and in the environment of operation have been addressed
5. Support continuous monitoring activities and provide information security situational awareness.

In the original NIST Special Publication 800-171, security requirements were broken down into fourteen families that contained the security requirements for each family group. The family groups are listed below:

CUI Security Requirement Families

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communication Protection
• System and Information Integrity

In order to clarify the method to help assessors evaluate against these requirements, NIST provided recommendations in NIST SP 800-171A. These methods include Examine, Interview and Test.

• The Examine method involves reviewing, inspecting, observing, (Read more...)