On November 28, NIST published SP 800-171A (Draft), Assessing Security Requirements for Controlled Unclassified Information. NIST SP 800-171A is intended to help businesses “develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information is Nonfederal Systems and Organizations.”
Notably, the draft outlines procedures for all 110 controls, including the security requirement, assessment objective, potential assessment methods, and guidance. The potential assessment methods are broken down into: (1) examine, (2) interview, and (3) test, which, collectively, will “define the nature of the assessor’s actions[.]” Ultimately, the results of each assessment method will be used to satisfy the objectives for each security assessment procedure.
Appendix B is also instructive as it outlines three progressive values (basic, focused, comprehensive) for “depth” and “coverage” attributes. The attribute values for depth and coverage will depend on the “assurance requirements specified by the organization.”
- Depth – assessment rigor and level of detail
- Coverage – assessment scope or breadth
NIST SP 800-171A (DRAFT), Assessing Security Requirements for Controlled Unclassified Information
For more information, please see my previous article Cyber DFARS and Agency Evaluations (NIST SP 800-171).