Death, Taxes and Compliance Updates – An Addition to NIST 800-171

New updates and additions to compliance requirements are as regular as the rising and setting of the sun. Recently, The National Institute of Standards and Technology (NIST) released a companion publication to NIST 800-171 that provides guidance on how organizations can assess the CUI requirements in NIST 800-171, known as SP 800-171A.The purpose of this release was to help non-federal organizations comply with SP 800-171 by providing guidance on creating assessment plans and performing assessments to meet the security requirements. The primary focus of NIST SP 800-171 was to create a set of security requirements to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. The requirements are mandatory for DOD contractors because the requirement are referenced in the DFARS.There were five areas where non-federal organizations needed direction in order to be compliant with NIST SP 800-171. SP 800-171A addressed those areas, which are as follows:Identify potential problems or shortfalls in the organization’s security and risk management programsIdentify security weaknesses and deficiencies in its systems and in the environments in which those systems operatePrioritize risk mitigation decisions and activitiesConfirm that identified security weaknesses and deficiencies in the system and in the environment of operation have been addressedSupport continuous monitoring activities and provide information security situational awareness.In the original NIST Special Publication 800-171, security requirements were broken down into fourteen families that contained the security requirements for each family group. The family groups are listed below:CUI Security Requirement FamiliesAccess ControlAwareness and TrainingAudit and AccountabilityConfiguration ManagementIdentification and AuthenticationIncident ResponseMaintenanceMedia ProtectionPersonnel SecurityPhysical ProtectionRisk AssessmentSecurity AssessmentSystem and Communication ProtectionSystem and Information IntegrityIn order to clarify the method to help assessors evaluate against these requirements, NIST provided recommendations in NIST SP 800-171A. These methods include Examine, Interview and Test.The Examine method involves reviewing, inspecting, observing, studying or analyzing the different assessment objects in areas of specifications, mechanisms and activities. This is meant to help the assessor gain clarification and understanding as well as possibly gather evidence on the present level of compliance.The Interview part of the process includes holding discussions with the parties who have responsibilities for the assessment objects in question. This also is meant to help the assessor gain clarification, understanding or evidence as needed.The Test method is considered the process by which assessment objects are measured and compared against the expected behavior and/or compliance.All three methods of assessment are recommended to help make the determination for compliance against the requirements listed in the security families.Chapter Three of NIST SP 800-171A gives a much more detailed breakout of the assessment procedures, methods and objects to be used for the CUI security requirements. NIST does provide some flexibility on the level of detail to be used for an assessment based upon the different assurance requirements of the particular organization. Appendix D provides the necessary clarification of the level of detail required.As always, Tripwire is here to help with compliance requirements. Tripwire provides the means by which a company can measure how they would fare when the Examine, Interview and Test methods are used to check their compliance.