Book Title: Using NIST for Security and Risk Assessment

Subtitle: Protecting Controlled Unclassified Information (CUI) in Information and Operation Technology Systems

Author: Thomas P. Dover

Book Description: A practical approach for applying NIST Special Publications (SP) guidance to Information (IT) and Operational (OT) technology systems. Methodology includes assessing and evaluating the security of systems containing Confidential but Unclassified Information (CUI).

Creative Commons Attribution NonCommercial


Book Information

Book Description

This book describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of Information (IT) or Operation Technology (OT) systems and supporting frameworks.  It will demonstrate that baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to any information system requiring data protection.

It further presents the application of SP.800-213 (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements) and SP.800-213A (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirement Catalog) to OT system assessment in order to determine relative compliance with recommended standards.  This approach allows organizations to evaluate the level of risk an IoT device poses to information systems.  It also reviews the current state of IoT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; Executive Orders (EO) and federal law.  Similarities and differences between IoT devices and “traditional” (or classic) Information Technology (IT) hardware will be offered along with challenges IoT poses to cybersecurity and privacy protection.

An explanation of how these NIST publications align with information security and how this alignment suffices for evaluating an IT environment security will be given along with the process and procedure for performing such evaluation.


Thomas P. Dover



Computer security


Using NIST for Security and Risk Assessment
Thomas P. Dover

Copyright 2022.  Thomas P. Dover.

(2nd Edition)

Primary Subject
Computer security
Additional Subject(s)
Risk assessment, Information technology industries, Network security
Butler County Community College
Publication Date
June 14, 2022