NIST published SP.800-172A (above), Assessing Enhanced Security Requirements for Controlled Unclassified Information in April 2021.
It is intended for use with SP.800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.
SP.800-172A provides procedures for evaluating the coverage and depth of a security/risk assessment which, according to its abstract “…can be used to facilitate risk-based decisions by organizations related to the CUI enhanced security requirements.”
SP.800-172A uses assessments methods and objects along with a set of determination statements related to the CUI security requirement. Methods are Examine, Interview and Test with each possessing the attributes depth and coverage.
Assessments produce assurance cases for determining compliance. As defined by NIST “An assurance case is a body of evidence organized into an argument demonstrating that some claim about a system is true”. Assurance cases aid in the determination of compliance with the security requirement.
In order to meet the requirements of SP.800-172A a simple matrix has been created in the Security Assessment workbook which contains both method and attribute. This matrix is applied to each enhanced requirement as seen at the far right of figure 1. Each method assigns an attribute-level (Basic, Focused and Comprehensive) for depth and coverage attributes.
Figure 1: Enhanced Assessment Requirements (Depth & Coverage)
Applying enhanced security requirement assessment is not required for completion of the Security Assessment nor does it influence satisfaction (i.e., compliance) values (Y/N - 0, 1) or calculation. While not designed for medium-level security assessments its use offers a qualitative view for enhanced security compliance and, as has already been mentioned, can be used to develop assurance cases which aid decision-makers in determining risk and compliance.
The reader is directed to Appendix C of SP.800-172 for complete description and discussion. Note: the assessment process, method and procedure has also been applied to the Security Control Catalog (SP.800-53r5) and can be found in NIST SP.800-53Ar5, Assessing Security and Privacy Controls in Information Systems and Organizations, Appendix C.
Finally, assessment methods, definitions and attributes have been reproduced for reference in the Security Assessment workbook.