In June, 2015 the National Institute of Standards and Technology (NIST) released Special Publication SP.800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). This publication was succeeded by SP.800-171r1 in December, 2016 and followed by SP.800-171r2 and its supplement SP.800-171B (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Enhanced Security Requirements for Critical Programs and High Value Assets) in June, 2019. The current version of SP.800-171r2 was released in February, 2020. SP.800-171B was renamed SP-800-172 (Draft) and released in July, 2020.
The purpose of SP.800-171r2 is to provide non-federal organizations1 with guidance for protecting the Confidentiality2 of unclassified (but controlled) information. As stated in its Abstract:
This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. The requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components.
Though not specifically intended for Healthcare Delivery Organizations (HDO), security requirements contained in SP.800-171r2 are nevertheless applicable to the healthcare sector3. This is due, in part, to the Department of Health and Human Services (HHS) and Office of Civil Rights (OCR) references to NIST publications4 in published documents and online guidance regarding cybersecurity protections and HIPAA’s Security Rule. For example, HHS-OCR, Security Risk Assessment (SRA) Tool5 references NIST publications in its User Guide. Moreover, vendors who develop security tools (e.g., IDS, antivirus, email protection) and Managed Security Service Providers (MSSP) often refer to NIST guidelines as “industry-standards”.
In April, 2021, NIST released (Draft) SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information). Per NIST, “This generalized assessment procedures described in this publication provide a framework and starting point for developing specific procedures to assess the enhanced security requirements in NIST Special Publication 800-1726.”
In effect, SP.800-172A uses determination statements and Organization-defined parameters as procedures for meeting assessment objectives. Meeting a determination statement results in a finding of Satisfied or Other than Satisfied. It then introduces three specific assessment methods (Examine, Interview, Test7for defining the “nature and extent of the assessor’s actions.” Also introduced are associated attributes Depth and Coverage.
Examine is “the process of checking, inspecting, reviewing…to facilitate understanding, achieve clarification or obtain evidence.”
Interview is “the process of conducting discussions with individuals or groups…to facilitate understanding, achieve clarification or lead to the location of evidence.”
Test is “the process of exercising one or more assessment objects under specific conditions to compare actual with expected behavior.”
Each assessment method may contain one or more Object Specifications, Mechanisms, and Activities. These objects serve as evidence or proof through which assessment method requirements were met.
The attributes Depth and Coverage are used to describe the depth (i.e., rigor) and breadth (i.e., scope) of the assessment method review. For each method one of three values (Basic, Focused and Comprehensive) is used to describe the level of analysis.
Basic employs “high-level reviews, checks, observations or inspections of the assessment object.”
Focused employs the above plus “more in-depth studies and analysis.”
Comprehensive employs the above plus “detailed, and thorough studies and analyses of the assessment object.”
As can be seen, each value represents a greater depth and breadth of analysis & review for a particular assessment method.
It should be noted that in its ‘Cautionary Note’8 statement NIST notes that the assessment methods and objects “do not necessarily reflect, and should not be directly associated with, compliance or noncompliance with the requirements.”
An example of how to employ the assessment methods and their attributes of SP.800-172A are provided in Appendix A.
 Primarily federal contractors, or companies, agencies or organizations doing business with the federal government.
 Confidentiality is one part of the control triad for protecting sensitive information such as Electronic Health Record(s). The other parts of the triad are Integrity and Availability. Together, they form the CIA of cybersecurity.
 “…processing…healthcare data;” SP.800-171r2, p.1
 For example, the NIST Cybersecurity Framework and SP.800-53r5 (Control catalog) are often referenced in HHS regulations concerning protection of patient information.
 Available at The Office of the National Coordinator for Health Information Technology, Office of Civil Rights, Department of Health and Human Services (https://www.healthit.gov/topic/priva...ssessment-tool)
 See ‘Cautionary Note’, p. vi
 SP.800-172A, Appendix C provides extensive description and explanation of all assessment methods and attributes.
 Ch3, p.7