The National Institute of Standards and Technology (NIST) has issued a draft document outlining procedures that federal agencies and nonfederal organizations can use to assess enhanced security requirements for controlled unclassified information (CUI).
The draft NIST Special Publication 800-172A seeks to help organizations develop evaluation plans and conduct assessments and includes procedures that can be used in self-assessments, government-sponsored assessments and independent third-party assessments, NIST said Tuesday.
“The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements,” the document reads.
The assessment procedures are arranged into 10 families: access control; awareness and training; configuration management; identification and authentication; incident response; personnel security; risk assessment; security assessment; system and communications protection; and system and information integrity.
NIST is seeking input on the procedures, including the determination statements and assessment objectives, and the approach used to integrate organization-defined parameters into determination statements for assessment objectives.
Public comments are due June 11th.