NIST has released Special Publication (SP) 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, to support the protection of controlled unclassified information associated with a critical program or high value asset in nonfederal systems and organizations. SP 800-172A provides federal agencies and nonfederal organizations with procedures that can be used to assess the enhanced security requirements in SP 800-172.
The assessment procedures are flexible, provide a framework and starting point to assess the enhanced security requirements, and can be tailored to the needs of organizations and assessors. Organizations tailor the assessment procedures by selecting specific assessment methods and objects to achieve the assessment objectives and by determining the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can be employed in self-assessments, independent third-party assessments, or assessments conducted by sponsoring organizations (e.g., federal agencies). Such approaches may be specified in contracts or in agreements by participating parties. The findings and evidence produced during assessments can be used by organizations to facilitate risk-based decisions related to the CUI enhanced security requirements. In addition to developing determination statements for each enhanced security requirement, NIST SP 800-172A introduces an updated structure to incorporate organization-defined parameters into the determination statements.
Please direct questions and comments to sec-cert [at] nist.gov (sec-cert[at]nist[dot]gov).