NIST Releases Draft Assessment on Security Requirements for Unclassified Information

NIST has released draft guidelines on assessing security requirements for controlled unclassified information, and it is inviting organizations to comment.

The publication has been developed to help organizations develop assessment plans of the Controlled Unclassified Information Security Requirements for NonFederal Systems and Organizations, previously set out in Publication 800-171. Organizations should provide assessment procedures for the CUI security requirements, defining clear objectives and specifying assessment models. They should also facilitate different levels of assurance and provide a discussion section for each CUI security requirements.

Former DHS CSO and HSToday Visiting Editor Greg Marshall gave an in-depth perspective on the importance of a regulatory framework for handling controlled unclassified information in his piece “Getting a Handle on Controlled Unclassified Information.”

“The successful expansion of the scope of the CUI Framework requires careful consideration of agency missions, requirements, and the processes by which SBU information is currently managed,” Marshall said.

The report states that non-federal organizations can use the assessment process to identify problems, shortfalls and deficiencies in the way that they are handling sensitive CUI and address issues in their systems. It examines all the security requirements for handling contolled unclassified information security requirements that have been outlined in previous NIST guidance, such as access control, audits and accountability and incident response. For each security requirement, the draft report considers the best method of assessment: testing, examining or interviewing. It also considers topics around each security requirement that should be discussed — for example, the most appropriate methods of limiting unsuccessful logon attempts or how to ensure that privacy and security notices are consistent with CUI rules.

The draft guide aims to provide a robust framework for organizations to use to build assessment and monitoring tools, to ensure that their handling of controlled unclassified information is always compliant with NIST’s security requirements.

To finalize the publication, NIST needs comments from a wide variety of organizations before March 23. “The comments we receive from the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.”

Read the report in full here. 

Comments can be submitted to sec-cert@nist.gov.

 

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security