In effect, the Security Assessment consists of two segments; worksheets containing questions (requirements) related to SP.800-171r2/172 Control Families (Figure 1) and worksheets containing Snapshot summary and Compliance evaluation (Figure 2). In addition there are several worksheets that contain useful reference information for completing the Assessment.
Figure 1. Control-Family (e.g., Awareness and Training) data entry worksheet
The Control Family worksheets are used for input and are the only worksheets requiring data. The Requirement (Satisfied?) field is the only required field whereas all others--Satisfaction Statement, Name, Validation Point/Tool, HIPAA Security Control (Type) and Assessment Method (for Depth and Coverage)--are optional (Figure 2).
Figure 2. Control-Family (e.g., Access Control (AC)) Snapshot
Information entered into each worksheet is then used as input for Snapshot and Compliance worksheets (note: Adversary Map data is manually entered and not considered essential for completion of the Assessment. See Appendix B for further information).
A closer view the Control-Family worksheet (Figure 1) shows incorporation of SP.800-172A assessment methods (Figure 3). Methods are used only to evaluate enhanced/High security requirements.
Figure 3. Assessment Method matrix
In the context of a security assessment, completion is the extent to which all questions have been answered (i.e., satisfied). Given the number of questions in the assessment1 the more complete it is the more accurate the results.
Compliance is defined as the extent an organization’s security ‘posture’ is aligned with and satisfies individual requirements of SP.800-171r2 (Medium-security) or SP.800-171r2 and SP.800-172 (Enhanced/High-security). Compliance establishes whether or not, for a given security-control the Validation Tool maps to the requirement. This process is especially useful in identifying security requirements with either no associated tool or an insufficient one.
Point value and compliance percentage is computed for each control-requirement worksheet with results displayed at the bottom of each sheet (see Figure 1). As stated earlier, this information is used as reference for the Snapshot worksheet and as input for the Compliance worksheet. The Snapshot worksheet provides an aggregate view of all Control-Family responses as well as a summary of completion and compliance (Figure 2).
Compliance is summarized via the Compliance Summary worksheet (Figure 4). All values are pulled from the individual Control Family worksheets. Optional color-coding is used to aid readability. Figure 4. Individual and aggregate Control-Family compliance summary
A data table and radar2 (aka spider) chart provide tabular and graphical depiction of each Control Family’s value for aggregate compliance. The radar chart is especially useful for viewing deficiencies and areas which need to be addressed.
An acceptable individual control-family or aggregate compliance level is left to the discretion of the organization as there is no published or uniformly agreed upon standard.
Regardless of threshold, compliance provides an organization with an idea of how well its security posture compares to established or recommended industry-standards.
 SP.800-171r2 contains 110 control requirements and SP.800-172 has 34. Both publications comprise a total of 144 security-control requirements.
 A radar chart compares the values of three or more variables relative to a central point. It’s useful when you cannot directly compare the variables and is especially great for visualizing performance analysis or survey data.