The Assumptions of 800-171
Disclaimer: This is my personal work and references other works or people who have been helpful in getting this information together. It is not the opinion or work of my employer, now or in the future, and was done on my own time. If you like what I wrote, then my employer gets credit for hiring such a smart guy. If you don’t like it, then don’t blame my employer.
Summary
There are some assumptions inherent in the controls chosen for 800-171 which influence what 800-171 is and is not intended to do. I went over how 800-171 was created and where both Basic and Derived requirements came from in my article The genesis of 800-171 | LinkedIn. This article goes into detail on the assumptions they made when they chose the Derived Requirements.
Background
Ron Ross is listed as the first author on NIST 800-171 and has been the author most vocally discussing it at conferences and on social media over the past few years. In the cautionary note on page vi of NIST 800-171 rev2, NIST stresses that this document is focused on protecting the Confidentiality of CUI, and Integrity ties into that at times - but not Availability. They also stress in note 17 on page 6 that the controls chosen are "a subset of the safeguarding measures that are necessary for a comprehensive information security program" (emphasis by NIST). This additional context ensures that we understand that 800-171 is not intended to provide a complete security program, but are the controls required by the federal government to be part of your security program.
领英推荐
?Also note that NIST determined that the moderate control baseline mapping from 800-53 rev 4 was the requirement they had to work from. They tailored the moderate baseline into four categories, and only included one of those categories into the controls of 800-171. They did not tailor any additional controls or control enhancements into 800-171 above the moderate baseline.
The categories that they tailored these into are:
1.?????FED controls are ones that were determined as applying only to federal systems
2.?????NCO controls are not directly related to the confidentiality of CUI
3.?????NFO which are controls expected to be routinely satisfied by nonfederal organizations without specification, meaning that NIST did not think that they needed to be required
4.?????CUI controls are the ones that they turned into the 110 requirements of 800-171
The NFO controls are listed in Appendix E of 800-171 and are some of the most discussed (and argued) portions of 800-171. These controls are assumed by NIST to already be in place for a company, so they did not require them within the 110 controls. Many of these are required to meet some of the CUI controls and were explicitly required within CMMC version 1.0. There will likely be changes to the four control types within 800-171 rev3 which is expected to be out later in 2022.
Principal Cyber Strategy Liason
2 年Thank you for this post.
Cyber Security and Networking | Technology Addict | Marine Corps Veteran |
2 年Like the mini article. I’ll definitely go and check out the others you have done. Not sure if you know ?? Jax S ?? or ???? Gerald Auger, Ph.D. They have talked about the cmnc 2.0 release among many other topics you might find interesting.