| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | The purpose of this workbook is to provide Organization-Related Persons who are responsible for risk management within their Unit a means to honestly and truthfully self-assess security objectives outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2. | |||||||||||||||||||||||||
2 | The Structure of the Workbook | |||||||||||||||||||||||||
3 | Column | Purpose | Action for User | |||||||||||||||||||||||
4 | A | This cell identifies the NIST SP 800-171 control number. This cell has also been hyperlinked to the NIST resource. | Users are encouraged to review the resource document to understand context and intent of the objective requirements. | |||||||||||||||||||||||
5 | B | This cell identifies the NIST Control Family identifier. | No Action - Informative Only | |||||||||||||||||||||||
6 | C | This cell identifies the name of the Control Objective. | No Action - Informative Only | |||||||||||||||||||||||
7 | D | This cell contains the details of the Control Objective. | No Action - Informative Only | |||||||||||||||||||||||
8 | E | This cell contains the Practices of the Control Objective. | Users must review the resource document (NIST SP 800-171) to understand context and intent of the listed practice. Organization Defined Parameters (ODPs) are the standard that is set by the Organization's CUI Authority if the assessment is for information considered Controlled Unclassified Information (CUI). Otherwise ODPs will be based on Organization Policy or Unit defined procedures. | |||||||||||||||||||||||
9 | F | This cell references any Organizational Governance that is applicable to the NIST Practice. | Users should research other Organization Compliance Partners to understand if an Organization Policy, Standard, or Procedure exists that addresses the identified Practice. If an Organization Policy, Standard, or Procedure from another department cannot be located, then the Unit should adopt internal procedures to fully meet the requirements of the identified Practice. | |||||||||||||||||||||||
10 | G | This cell cross references the NIST SP 800-171 Objective to NIST SP 800-53 Objectives. | Users should review the resource document (NIST SP 800-53) to understand context and intent of the listed practice. | |||||||||||||||||||||||
11 | H | This cell is for Users to use the pull-down menu to select the honest and accurate status of the practice implementation. | Users will select from the pull-down menu the appropriate option for the state of the identified Practice. The state option can be modified as the Unit resolves deficiencies and the practice results in a "Fully Implemented" state. | |||||||||||||||||||||||
12 | I | This cell identifies the result of the implentation state for the entire objective. If all Practices are identified as "Fully Implemented" the cell will automatically change to "TRUE". This cell is structured to help calculate the Assessment score. Practices that are identified as "Not Applicable" are not counted as an implemented score and the weighted value will apply as if the objective is Not Met. | No Action - Informative Only | |||||||||||||||||||||||
13 | J | This cell identifies the weight value as identified by the U.S. Department of Defense 2021 Assessment Methodology. This cell is structured to help calculate the Assessment score. | No Action - Informative Only | |||||||||||||||||||||||
14 | K | This cell is for Users to describe in detail how a Practice is being achieved or why it is not applicable. | Users will truthfully describe the details to support the selected Practice state of "Fully Implemented" or "Not Applicable". | |||||||||||||||||||||||
15 | L | This cell is for Users to identify the evidence that supports the Practice being identified as "Fully Implemented" or "Not Applicable". | Users will provide the evidence that supports the implementation state of "Fully Implemented" or "Not Applicable". It is acceptable to insert a hyperlink to an internal Organization resource that is identified in this cell. | |||||||||||||||||||||||
16 | M | This cell is for Users to truthfully describe the details of why a Practice is not fully implemented. This is not intended to be a source of shame, but a source of opportunity to strengthen a Unit's security posture and address the deficiency. | Users will truthfully describe the details to support the selected Practice state that identifies "Partially Implemented" or "Deficiency". The intent is to understand where a Unit needs to remediate and make the needed changes to strengthen their security posture for the Information Resource. | |||||||||||||||||||||||
17 | N | This cell is for Users to enter an estimated date that they would like to aim for in remediating the deficient Practice. | Users will enter an estimated date that they would like to strive to remediate the deficient Practice. | |||||||||||||||||||||||
18 | O | This cell is to identify a state for the remediation effort. For example a User may write "Waiting on verification from MSP" or "Testing" or any other verbiage that makes sense to the User in where the remediation effort stands. | Users will create a brief description that identifies the current state of the remediation effort. The description is based what makes sense for the User; there is no pull-down menu options. | |||||||||||||||||||||||
19 | P | This cell is for the User to enter any comments they deem relevant and appropriate to highlight actions or state of the remediation effort. Comments should be built upon the previous entries so that a history of all comments remains in this column. | Users will build a historical record of the details related to the remediation effort. Utilizing the [Alt} + [Enter} keys will allow users to create a new line within the same cell to add new comments. | |||||||||||||||||||||||
20 | Q | This cell is to identify the date the remediation effort for the deficient Practice has been completed. This date may be different from the planned implementation date [column N]. There are no penalties if the completed date is past the planned date. | Users will enter the date that the remediation effort has been fully completed. In addition, the User will also update the state of the Practice in Column H. | |||||||||||||||||||||||
21 | The Assessment Score | |||||||||||||||||||||||||
22 | The Assessment Score is automatically calculated based on the values determined on the Practice state (column H). This score is formulated using Boolean Algebra to obtain the measurement as defined in the U.S. Department of Defense 2021 Assessment Methodology. Users can use this score as a metric for measuring conformity to the NIST SP 800-171 Objectives identified in this workbook. A score will always start out as a negative when no Practices have been assessed. As Practice states are selected, this score will automatically adjust. | |||||||||||||||||||||||||
23 | ||||||||||||||||||||||||||
24 | ||||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||
27 | ||||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||