Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI).
The National Institute of Standards and Technology (NIST) released Official guidance for contractors in the DoD supply chain for NIST SP 800-172A.
The generalized assessment procedures described in this publication provide a framework and a starting point for developing specific procedures to assess the enhanced security requirements in NIST Special Publication 800-172. The assessment procedures can be used to help generate and evaluate the relevant evidence needed to determine if the security safeguards employed by organizations are implemented correctly, operating as intended, and satisfy the enhanced security requirements. Organizations have the flexibility to tailor the assessment procedures by selecting the assessment methods and objects needed to achieve the assessment objectives. There is no expectation that every assessment method and object in an assessment procedure will be used for every assessment. In addition, there is significant flexibility in the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can support self-assessments, third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or agreements by participating parties.