Book Title: Using NIST for Security and Risk Assessment

Book Description

This book describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of Information (IT) or Operation Technology (OT) systems and supporting frameworks.  It will demonstrate that baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to any information system requiring data protection.

It further presents the application of SP.800-213 (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements) and SP.800-213A (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirement Catalog) to OT system assessment in order to determine relative compliance with recommended standards.  This approach allows organizations to evaluate the level of risk an IoT device poses to information systems.  It also reviews the current state of IoT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; Executive Orders (EO) and federal law.  Similarities and differences between IoT devices and “traditional” (or classic) Information Technology (IT) hardware will be offered along with challenges IoT poses to cybersecurity and privacy protection.

An explanation of how these NIST publications align with information security and how this alignment suffices for evaluating an IT environment security will be given along with the process and procedure for performing such evaluation.