March 2022

The CUI enhanced security requirements in (SP 800-172) are organized into 10 families. The process to assess the CUI enhanced security requirements include preparing for assessment, developing assessment plans, conducting assessments, and analyzing results. The CUI Enhanced Security Requirement Families are: Access Control, Awareness, and Training, Configuration Management, Identification and Authentication, Incident Response, Personnel Security, Risk Assessment Security Assessment, System and Communications Protection, and System and Information Integrity. In our next Blog Post, we will walk you through the Assessment Procedures.

If you’ve been paying attention to the recent $800 million Ukrainian relief package, you may have noticed that a long-held-up aspect of US CyberSecurity was included: the bipartisan Cyber Incident Reporting Act. What this means for you… More than 100,000 companies are covered by this bill, including all those in the defense industrial base The new law allows CISA to subpoena companies that fail to report cybersecurity incidents or ransomware payments  Failures to comply can be referred to the Department of Justice for investigation and penalties Whistleblowers have a direct email link This is a NIST/CMMC requirement We have developed both an Incident Response Plan and an Incident Response Policy and Procedure as part of our NIST/CMMC offering.

Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI). The National Institute of Standards and Technology (NIST) released Official guidance for contractors in the DoD supply chain for NIST SP 800-172A. The generalized assessment procedures described in this publication provide a framework and a starting point for developing specific procedures to assess the enhanced security requirements in NIST Special Publication 800-172. The assessment procedures can be used to help generate and evaluate the relevant evidence needed to determine if the security safeguards employed by organizations are implemented correctly, operating as intended, and satisfy the enhanced security requirements. Organizations have the flexibility to tailor the assessment procedures by selecting the assessment methods and objects needed to achieve the assessment objectives. There is no expectation that every assessment method and object in an assessment procedure will be used for every assessment. In addition, there is significant flexibility in the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can support self-assessments, third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or agreements by participating parties.