NIST releases draft assessment publication for protecting CUI of high-value assets

The National Institute of Standards and Technology has released a draft publication designed to help organizations prepare and conduct assessments on their ability to secure controlled unclassified information for high-value assets maintained in non-governmental systems.

The publication is foundational to levels four and five of the Defense Department's Cybersecurity Maturity Model Certification program, which focuses on the protection of CUI. DOD has more stringent requirements to address advanced persistent threat actors in the upper tiers of the program.

"Draft NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST SP 800-172," NIST said Tuesday.

The agency said, "The generalized assessment procedures are flexible, provide a framework and starting point to assess the enhanced security requirements, and can be tailored to the needs of organizations and assessors. Organizations tailor the assessment procedures by selecting specific assessment methods and objects to achieve the assessment objectives and by determining the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can be employed in self-assessments, independent third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies)."

The publication goes through 11 "assessment procedures for the CUI enhanced security requirements" that are organized into 10 "family designations to help ensure completeness and consistency of assessments." Each requirement has examples of how to examine, review and test organizations for compliance.

"NIST is seeking feedback on the assessment procedures, including the assessment objectives, determination statements, and the usefulness of the assessment objects and methods provided for each procedure," the agency said. "We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives."

The first three levels of the CMMC program are largely based on NIST Special Publication 800-171. Comments on the new draft publication designed to address levels four and five are due on June 11.

The Defense Department has considered putting out new acquisition rules related to SP 800-172 and the protection of advanced persistent threats. The department is currently operating under an interim final rule to implement CMMC and is working on its first contract solicitations that will include requirements focused on the first three CMMC levels.

DOD's current plan for levels four and five is to potentially add in new requirements when the final acquisition rule for CMMC is released, according to an industry source.

"We were basing levels four and five on [800-172] and from industry input," Pentagon acquisition CISO Katie Arrington told Inside Cybersecurity in January. "It is very expensive and [there are] exquisite capabilities in levels four and five. We have to use them very judiciously. We don't want companies spending money to buy security that we don't feel will be necessary to protect the Department of Defense information and national security information."

Arrington said, "As we adjudicate the rule and come to the final rule, which will be sometime in early summer, we are going to see a lot more of levels four and five. I have always been open to the fact that it may not be all of level four that is required to get to the desired outcome of security that is required and it may not be all of the requirements in level five that are required."