4. Background
• Establishment of CUI Program: Executive Order 13556 in 2010
aimed to standardize the protection of unclassified information
through the creation of the Controlled Unclassified Information
(CUI) Program within the executive branch.
• NIST's Role: Besides SP 800-171, NIST introduced more stringent
security protocols, particularly for CUI associated with critical
programs or high-value assets, outlined in SP 80.
5. Compliance Overview
• Legal Framework: Compliance with CUI-based guidelines involves
adherence to laws governing federal government acquisitions.
• Two Key Processes: The paper outlines two essential processes for
addressing CUI compliance:
Emphasizing assessment procedures
Continuous monitoring to mitigate risks, identify security vulnerabilities,
and address weaknesses in targeted assets.
7. Assessment Procedures
• NIST SP 800-172 Framework: Table I outlines a systematic ten-step
family approach for evaluating additional Controlled Unclassified
Information (CUI) security requirements
• Assessor Tasks: Procedures such as examination, interviews, and
testing are employed to evaluate compliance with enhanced security
criteria.
• Depth of Focus: Depth of focus for assessment tasks is set according
to standards ensuring comprehensive evaluation.
9. Assurance Cases
• Coherent Body of Evidence: The assurance case serves as a coherent
body of evidence supporting claims of conformity to specific security
criteria, creating a comprehensive defense for the system.
• Artifact-Based Approach: Artifacts, ranging from defining security
requirements to implementing systems, serve as the primary source
of evidence for the assurance case.
• Customized Security Assessment Plans: A customized approach, as
per [SP 800-53A], ensures robust compliance confirmation, with
security assessment plans balancing assessment processes according
to organizational needs.
60. Reference
Ron Ross, Victoria Pilliteri, Kelley Dempsey, “Assessing Enhanced
Security Requirements for Controlled Unclassified Information,”
NIST Special Publication 800-172A, March 2022.