Skip to main content
Library homepage
 
Engineering LibreTexts

Book Information

  • Page ID
    84425
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    TITLE

    Using NIST for Security and Risk Assessment

    SHORT TITLE

    Using NIST Special Publications (SP) 171r2/172 and 213/213A for Security & Risk Assessment

    SUBTITLE

    Protecting Controlled Unclassified Information (CUI) in Information and Operation Technology Systems

    SHORT DESCRIPTION

    A practical approach for applying NIST Special Publications (SP) guidance to Information (IT) and Operational (OT) technology systems. Methodology includes assessing and evaluating the security of systems containing Confidential but Unclassified Information (CUI).

    AUTHOR(S)

    Thomas P. Dover
    thomas.dover@bc3.edu

    PUBLICATION DATE

    07/10/2022

    COPYRIGHT

    Copyright 2022. Thomas P. Dover

    (2nd Edition)

    OER LICENSE

    CC-BY-NC (Creative Commons, Attribution, NonCommercial)

    BOOK TAGLINE

    Applying NIST Guidance to Cybersecurity Assessment

    PRIMARY SUBJECT

    Computer Security

    ADDITIONAL SUBJECTS

    Risk Assessment, Information Technology Industries, Network Security, Computer Science

    LONG DESCRIPTION (Abstract)

    This book describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of Information (IT) or Operation Technology (OT) systems and supporting frameworks. It will demonstrate that baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to any information system requiring data protection.

    It further presents the application of SP.800-213 (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements) and SP.800-213A (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirement Catalog) to OT system assessment in order to determine relative compliance with recommended standards. This approach allows organizations to evaluate the level of risk an IoT device poses to information systems. It also reviews the current state of IoT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; Executive Orders (EO) and federal law. Similarities and differences between IoT devices and “traditional” (or classic) Information Technology (IT) hardware will be offered along with challenges IoT poses to cybersecurity and privacy protection.

    An explanation of how these NIST publications align with information security and how this alignment suffices for evaluating an IT environment security will be given along with the process and procedure for performing such evaluation.

    • Was this article helpful?