Book Information

Last updated
Save as PDF

Page ID: 84425

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

TITLE

Using NIST for Security and Risk Assessment

SHORT TITLE

Using NIST Special Publications (SP) 171r2/172 and 213/213A for Security & Risk Assessment

SUBTITLE

Protecting Controlled Unclassified Information (CUI) in Information and Operation Technology Systems

SHORT DESCRIPTION

A practical approach for applying NIST Special Publications (SP) guidance to Information (IT) and Operational (OT) technology systems. Methodology includes assessing and evaluating the security of systems containing Confidential but Unclassified Information (CUI).

AUTHOR(S)

Thomas P. Dover
thomas.dover@bc3.edu

PUBLICATION DATE

07/10/2022

COPYRIGHT

(2^nd Edition)

OER LICENSE

CC-BY-NC (Creative Commons, Attribution, NonCommercial)

BOOK TAGLINE

Applying NIST Guidance to Cybersecurity Assessment

PRIMARY SUBJECT

Computer Security

ADDITIONAL SUBJECTS

Risk Assessment, Information Technology Industries, Network Security, Computer Science

LONG DESCRIPTION (Abstract)

This book describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of Information (IT) or Operation Technology (OT) systems and supporting frameworks. It will demonstrate that baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to any information system requiring data protection.

It further presents the application of SP.800-213 (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements) and SP.800-213A (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirement Catalog) to OT system assessment in order to determine relative compliance with recommended standards. This approach allows organizations to evaluate the level of risk an IoT device poses to information systems. It also reviews the current state of IoT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; Executive Orders (EO) and federal law. Similarities and differences between IoT devices and “traditional” (or classic) Information Technology (IT) hardware will be offered along with challenges IoT poses to cybersecurity and privacy protection.

An explanation of how these NIST publications align with information security and how this alignment suffices for evaluating an IT environment security will be given along with the process and procedure for performing such evaluation.