NIST Issues Guidance on Assessing Protections for Sensitive Information
According to NIST, controlled unclassified information can directly impact the federal government’s ability to conduct critical missions and functions.
The most recent guidance is voluntary for the private sector and will only apply to national security systems if approval is granted by the appropriate agency, FedScoop reported Tuesday.
SP 800-172 includes procedures for areas such as access control, awareness training, audit and accountability, configuration management, identification and authentication and incident response.
In SP 800-172A, NIST recommended building an assurance case to prove that security procedures are being implemented. The assurance case should be based on a body of evidence drawn from sources such as self-assessments, independent third-party assessments and government-sponsored assessments.
NIST said that the type of assessment depends on an organization’s needs and the type of systems it uses.
The agency added that such assessments will also prove or disprove vendor claims about the security of consumer-grade information technology products, which are typically evaluated by commercial testing organizations.
Assessors, which may be system developers, system owners, evaluators, auditors or security staffers, can also build on existing pieces of evidence gathered throughout the system deployment process, NIST said.
Tags: assessment Controlled Unclassified Information cybesecurity FedScoop guidance NIST SP 800-172 SP 800-172A