• Katie Johnson

NIST SP 800-171 Series: Security Assessments

Updated: Oct 12


In our continuing series highlighting the controls from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2, we turn our focus to Requirement 12, Security Assessment, which requires a periodic assessment of the security controls in organizational systems to determine if the controls are effective in their application. This highlight is timely as the recent updates to the FTC Safeguards Rule do require that organizations accessing customer financial data perform assessments to determine whether existing security controls are sufficient.


In Requirement 3.12.1, security controls are defined by NIST as the safeguards or countermeasures organizations implement to satisfy security requirements. A security assessment is often performed by an independent assessor or third-party and allows an organization to review both external and internal threats, as well as new vulnerabilities that may have been introduced, and ensure the implemented safeguards are appropriate and operating as intended. An external review provides an outside perspective and can often uncover risks that may otherwise have been overlooked as employees become accustomed to the way they do things or develop work arounds to complete job responsibilities, whether that leads to potential risk or not.


The assessment can help provide an overview of the organization’s security posture and helps evaluate and score the organization’s program against a globally recognized standard. As a gap assessment, it will identify additional resources or technologies that may be needed and help prioritize how to allocate available resources. It will identify weaknesses and deficiencies and provide the necessary information for security teams and senior leadership to evaluate potential risks. Management can then choose to accept the risk (and document any risk-based decisions) or implement countermeasures to address the identified risks. An assessment should also identify security strengths and areas in which the organization is doing well.


Conducting regular security assessments helps protect critical data and ensures the appropriate administrative, technical, and physical safeguards are in-place. Threats are continuously evolving within the organization as new employees are hired, additional vendor relationships are brought in, remote access is expanded with hybrid work environments, etc., as well as increasing threats from external bad actors.


When performing a security assessment, organizations should follow the steps below:

  1. Identify departments/areas within the organization that are storing, accessing, or transmitting sensitive data types. You may elect to select a sample of these areas for the initial assessment. Scheduling interviews with departmental contacts provides a more hands-on approach, which allows your organization to identify potential people gaps, not just gaps in technology.

  2. Conduct interviews and observe configurations and procedures to understand and document the security controls currently in place.

  3. Assess the maturity and completeness of those controls against the controls in the NIST SP 800-171 standard (including change/configuration management, access control, vulnerability management, media security, incident response, physical security, etc.).

  4. Collect and review all supporting information security documentation, policies, and procedures.

  5. Meet with IT/Security/Networking groups to evaluate organizational security controls and technologies that are in place.

  6. Rank the security level of any identified gaps and identify the likelihood, impact, and risk of each finding.

  7. Begin planning for remediation.


Requirement 3.12.2 of the NIST SP 800-171 states that organizations must develop and implement plans of action to address and correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.


This plan of action must describe how the organization will be meeting any unimplemented security requirements and planned mitigation efforts. Often referred to as the Plan of Action and Milestones (POA&M), this document identifies all tasks that need to be accomplished, resources needed, milestones for meeting the outlined tasks, and scheduled completion dates. This document is often required by federal agencies in order to grant access to a nonfederal organization to Controlled Unclassified Information (CUI) data or approve the ability to share data outside of the organization.


Requirement 3.12.3 requires continuous monitoring to ensure ongoing awareness of threats, vulnerabilities, and information sharing to support any of those risk-based decisions made during the initial assessment period. Keeping security information up to date and providing ongoing access to this information for executive leadership ensures the ability to make timely adjustments to decisions and implement additional controls if needed.


Requirement 3.12.4 states that organizations should develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Security plans can be a collection of organizational documents and reference the various information security policies and procedures where more detailed information can be obtained.


As mentioned above, federal agencies may ask organizations to submit system security plans and plans of action if they will be processing, storing, or transmitting CUI per contract requirements.


Assessments will not only help your organization meet necessary compliance requirements, but periodic security assessments will also provide your teams with valuable metrics and the ability to benchmark and highlight improvements from one year to the next. An assessment will help senior leadership prioritize actions and focus on necessary resource investments to improve information security across the organization and prevent unwanted (and expensive) data breaches.


For assistance or to discuss strategies around planning for security assessments for your organization, connect with your dedicated CampusGuard Customer Advocate team.

Additional guidance from the Security Advisor Team below:


[Gilmore]: Assessments are important steps to making sure your daily work remains relevant, effective, and secure. Assessments must be completed on a regular basis, and sometimes ad-hoc, to determine if changes to the environment have affected the security and processes. Setting the interval for the assessments will be determined usually by the level of risk a process has been given. To complicate this maintenance process, a review of how assessments are completed must also happen. There could be something hidden in the new process or equipment procured and no one knew to check a new “feature” that potentially can cause an issue. All controls must be checked on a regular basis to make sure they remain relevant and effective.


When CampusGuard is performing an assessment for your environment, we are on your side. We ask questions to get a good understanding of how information is requested and received. We want to know how that information is stored and processed while in the environment and how it is transmitted to other places such as third party providers. Ultimately, we are looking to make sure processes are meeting the standards for the information deemed secure. Therefore, keep in mind when we are completing these assessments that we need as much information as possible. This will allow us to give the most accurate report of the current security posture and appropriate recommendations for remediation.