NIST SP800-172A Brief Presentation

1. NIST SP800-172A
Assessing Enhanced Security Requirements for Controlled
Unclassified Information
March 2022

2. Sajjad Hussain
MSIS-22
00000450691
shussain.msis23mcs@student.nust.edu.pk

3. Introduction

4. Background
• Establishment of CUI Program: Executive Order 13556 in 2010
aimed to standardize the protection of unclassified information
through the creation of the Controlled Unclassified Information
(CUI) Program within the executive branch.
• NIST's Role: Besides SP 800-171, NIST introduced more stringent
security protocols, particularly for CUI associated with critical
programs or high-value assets, outlined in SP 80.

5. Compliance Overview
• Legal Framework: Compliance with CUI-based guidelines involves
adherence to laws governing federal government acquisitions.
• Two Key Processes: The paper outlines two essential processes for
addressing CUI compliance:
 Emphasizing assessment procedures
 Continuous monitoring to mitigate risks, identify security vulnerabilities,
and address weaknesses in targeted assets.

6. Fundamentals

7. Assessment Procedures
• NIST SP 800-172 Framework: Table I outlines a systematic ten-step
family approach for evaluating additional Controlled Unclassified
Information (CUI) security requirements
• Assessor Tasks: Procedures such as examination, interviews, and
testing are employed to evaluate compliance with enhanced security
criteria.
• Depth of Focus: Depth of focus for assessment tasks is set according
to standards ensuring comprehensive evaluation.

8. Table 1
CUI Enhanced Security Requirement Families

9. Assurance Cases
• Coherent Body of Evidence: The assurance case serves as a coherent
body of evidence supporting claims of conformity to specific security
criteria, creating a comprehensive defense for the system.
• Artifact-Based Approach: Artifacts, ranging from defining security
requirements to implementing systems, serve as the primary source
of evidence for the assurance case.
• Customized Security Assessment Plans: A customized approach, as
per [SP 800-53A], ensures robust compliance confirmation, with
security assessment plans balancing assessment processes according
to organizational needs.

10. Procedures

11. 1. Access Control

15. 2. Awareness & Training

18. 3. Audit &
Accountability
No enhanced security requirements for audit and accountability.

19. 4. Configuration
Management

23. 5. Identification &
Authentication

27. 6. Incident Response

30. 7. Maintenance
No enhanced security requirements for maintenance.

31. 8. Media Protection
No enhanced security requirements for media protection.

32. 9. Personnel Security

35. 10. Physical Protection
No enhanced security requirements for physical protection.

36. 11. Risk Assessment

44. 12. Security Assessment

46. 13. System &
Communications
Protection

52. 14. System & Information
Integrity

60. Reference
Ron Ross, Victoria Pilliteri, Kelley Dempsey, “Assessing Enhanced
Security Requirements for Controlled Unclassified Information,”
NIST Special Publication 800-172A, March 2022.

61. Thank You!