NIST has released draft guidelines on assessing security requirements for controlled unclassified information, and it is inviting organizations to comment.
The publication has been developed to help organizations develop assessment plans of the Controlled Unclassified Information Security Requirements for NonFederal Systems and Organizations, previously set out in Publication 800-171. Organizations should provide assessment procedures for the CUI security requirements, defining clear objectives and specifying assessment models. They should also facilitate different levels of assurance and provide a discussion section for each CUI security requirements.
Former DHS CSO and HSToday Visiting Editor Greg Marshall gave an in-depth perspective on the importance of a regulatory framework for handling controlled unclassified information in his piece “Getting a Handle on Controlled Unclassified Information.”
“The successful expansion of the scope of the CUI Framework requires careful consideration of agency missions, requirements, and the processes by which SBU information is currently managed,” Marshall said.
The report states that non-federal organizations can use the assessment process to identify problems, shortfalls and deficiencies in the way that they are handling sensitive CUI and address issues in their systems. It examines all the security requirements for handling contolled unclassified information security requirements that have been outlined in previous NIST guidance, such as access control, audits and accountability and incident response. For each security requirement, the draft report considers the best method of assessment: testing, examining or interviewing. It also considers topics around each security requirement that should be discussed — for example, the most appropriate methods of limiting unsuccessful logon attempts or how to ensure that privacy and security notices are consistent with CUI rules.
The draft guide aims to provide a robust framework for organizations to use to build assessment and monitoring tools, to ensure that their handling of controlled unclassified information is always compliant with NIST’s security requirements.
To finalize the publication, NIST needs comments from a wide variety of organizations before March 23. “The comments we receive from the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers.”
Read the report in full here.
Comments can be submitted to [email protected].