The process for completing either SP.800-171r2 (medium-level security requirement) or SP.800-172/172A (enhanced/high-level security requirement) assessment consists of satisfying each control requirement then determining compliance for both individual and aggregate control families.
It should be stressed that SP.800-171r2 defines its control baseline security level as being for moderate-impact information systems and such level would cover healthcare-service providers handling, transmitting or storing electronic Protected Health Information (ePHI). SP.800-172 requirements are enhancements to SP.800-171r2 and therefore offer stronger security which would be needed for high-impact information systems. SP.800-172 contains thirty-four (34) enhanced security-control requirements and SP.800-172A offers assessment methods for evaluating assurance with SP.800-172 requirements.
An advantage of using both SP.800-171r2 and SP.800-172/172A is that security assessments can be performed from the perspective of both medium and enhanced-level security. Evaluating this way allows an organization to determine the level of compliance for each security level and to what extent it is being implemented.
In addition to control-requirement baseline, SP.800-172 has incorporated a new metric called Adversary Effects. Per NIST:
…adversary effects…describe the potential effects of implementing the enhanced security requirements on risk, specifically by reducing the likelihood of threat events, the ability of threat events to cause harm, and the extent of that harm. Five high-level, desired effects on the adversary can be identified: redirect, preclude, impede, limit, and expose.”
For Adversary Effects, a simple (aggregate) matrix has been created to view the overall impact of security-control implementation.
An example of how to apply Adversary Effects is provided in Appendix B.