The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The eleventh of the 14 Families of Requirements for NIST 800-171 compliance is risk assessment.
What is Risk Assessment in Terms of NIST 800-171?
The Risk Assessment family of requirements addresses the identification and reduction of risk in a business environment. More specifically: A business must regularly audit the operational, asset, and individual risks associated with working with CUI, scan for vulnerabilities on a regular basis, and remediate any identified vulnerabilities in accordance with a Vulnerability Detection and Remediation Plan. Lastly, a formal risk assessment must be conducted annually. Risk assessment consists of 1 Basic Security requirements and 2 Derived Security requirements.
Basic Security Requirements
- 3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Derived Security Requirements
- 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- 3.11.3 Remediate vulnerabilities in accordance with risk assessments
For more information on conducting risk assessments check out SP 800-30.To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.