The National Institute of Standards and Technology (NIST) issued a special publication on March 15 providing Federal agencies and private organizations further guidance on protecting unclassified information.
The publication details ways to assess an organization’s adherence to NIST’s go-to list of enhanced security requirements for protecting controlled unclassified information (CUI). The release specifically explains how to:
- Identify gaps in security and risk management programs;
- Find vulnerabilities in information systems and their environments;
- Prioritize risk mitigation;
- Confirm that vulnerabilities have been addressed;
- Support continuous monitoring; and
- Provide information security situational awareness.
The assessment procedures are flexible to the needs of organizations and assessors, NIST said. According to the publication, assessments can be conducted as self-assessments; independent, third-party assessments; or government-sponsored assessments. The assessments can be conducted with varying degrees of rigor based on customer-defined depth and coverage attributes.
The findings and evidence produced during the assessments can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements.
“The protection of [CUI] in Non-Federal systems and organizations is important to Federal agencies and can directly impact the ability of the Federal government to successfully carry out its assigned missions and business operations,” the publication says.
NIST acknowledged that agencies and organizations have different requirements, known threat and vulnerability information, system and platform dependencies, operational considerations, and risk tolerance.
Additionally, NIST said the guidance will not apply to national security systems without the approval of corresponding agencies – such as the Office of Management and Budget – and that adoption is voluntary for private organizations.