NIST Issues Guidance on Assessing Protections for Sensitive Information

The National Institute of Standards and Technology has provided guidance on how agencies can evaluate how well they protect controlled unclassified information.

According to NIST, controlled unclassified information can directly impact the federal government’s ability to conduct critical missions and functions.

NIST’s new Special Publication 800-172A specifically includes steps for assessing the implementation of SP 800-172, which contains more advanced controls intended to supplement basic ones.

The most recent guidance is voluntary for the private sector and will only apply to national security systems if approval is granted by the appropriate agency, FedScoop reported Tuesday.

SP 800-172 includes procedures for areas such as access control, awareness training, audit and accountability, configuration management, identification and authentication and incident response.

In SP 800-172A, NIST recommended building an assurance case to prove that security procedures are being implemented. The assurance case should be based on a body of evidence drawn from sources such as self-assessments, independent third-party assessments and government-sponsored assessments.

NIST said that the type of assessment depends on an organization’s needs and the type of systems it uses.

The agency added that such assessments will also prove or disprove vendor claims about the security of consumer-grade information technology products, which are typically evaluated by commercial testing organizations.

Assessors, which may be system developers, system owners, evaluators, auditors or security staffers, can also build on existing pieces of evidence gathered throughout the system deployment process, NIST said.