The document is targeted at auditors—internal and external to an organization—who are set to play a central role in cybersecurity policy under a May executive order and initiatives like the Pentagon’s Cybersecurity Maturity Model Certification program.
As the government looks to tighten procurement regulations for critical software, the National Institute of Standards and Technology issued a special publication detailing appropriate ways to assess an organization’s adherence to the agency’s go-to list of enhanced security requirements for protecting controlled but unclassified information.
“Assessors obtain evidence during the assessment process to allow designated officials to make objective determinations about compliance to the CUI enhanced security requirements,” reads NIST guidance—SP 800-172A—published Tuesday. “The evidence needed to make such determinations can be obtained from various sources, including self-assessments, independent third-party assessments, government-sponsored assessments, or other types of assessments, depending on the needs of the organization establishing the requirements and the organization conducting the assessments.”
Procedures for securing classified information exist on a whole other plane, but there is plenty of information that is unclassified yet sensitive or valuable, especially to adversaries like China who covet U.S. entities’ intellectual property, officials have long warned. Such “Controlled Unclassified Information,” or CUI, is the focus of programs like the Pentagon’s Cybersecurity Maturity Model Certification program.
Pentagon officials initially made the case for CMMC around a failure of the status-quo practice of Defense contractors self-attesting their adherence to enhanced security requirements for CUI in NIST Special publication 800-171. CMMC would institute a new ecosystem of independent third-party auditors to check contractors compliance with those security controls which are also heavily referenced in NIST’s Cybersecurity Framework.
The extent to which third party assessments will be necessary under a Biden administration alteration of the Trump-era program now seems uncertain, with the possibility of some contractors being again allowed to serve the government having simply done self assessments. A May executive order following the SolarWinds hacking campaign also relies on attestations of adherence to security standards and the General Services Administration’s Federal Risk and Authorization Management program requires third-party certification of cloud providers’ security.
One way or the other, agency officials will be expected to do more work with their contractors in the near future to determine appropriate scope and assurance levels necessary for such assessments.
“Organization-defined parameters that are part of selected enhanced security requirements are included in the initial determination statements for the assessment procedure,” NIST wrote. “Assessment objects are associated with the specific items being assessed. These objects can include specifications, mechanisms, activities and individuals. Specifications are the document-based artifacts (e.g., security policies, procedures, plans, requirements, functional specifications, architectural designs) associated with a system.”
Guidance for determining the appropriate assurance levels for an agency are contained in SP-800-171 itself. The supplement released Tuesday provides examples for conducting three assessment methods—examining, interviewing and testing—for meeting those various assurance levels.
“The application of each method is described in terms of the attributes of depth and coverage, progressing from basic to focused to comprehensive,” NIST notes. “The attribute values correlate to the assurance requirements specified by the organization.”