| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | This resource was created by Wendy Epley at The University of Arizona. | |||||||||||||||||||||||||
2 | Users of this resource must consult supporting and resource documentation for NIST SP 800-171r2 to understand intent and context of each objective and practice. This workbook is an aid to conducting a self-assessment but does not address all elements required for a complete self-assessment. | |||||||||||||||||||||||||
3 | The purpose of this workbook is to provide users who are responsible for risk management a means to honestly and truthfully self-assess security objectives outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2. | |||||||||||||||||||||||||
4 | The Structure of the Workbook | |||||||||||||||||||||||||
5 | Column | Purpose | Action for User | |||||||||||||||||||||||
6 | A | This cell identifies the NIST SP 800-171 control number. This cell has also been hyperlinked to the NIST resource. | Users are encouraged to review the resource document to understand context and intent of the objective requirements. | |||||||||||||||||||||||
7 | B | This cell identifies the NIST Control Family identifier. | No Action - Informative Only | |||||||||||||||||||||||
8 | C | This cell identifies the name of the Control Objective. | No Action - Informative Only | |||||||||||||||||||||||
9 | D | This cell contains the details of the Control Objective. | No Action - Informative Only | |||||||||||||||||||||||
10 | E | This cell contains the Practices of the Control Objective. | Users must review the resource document (NIST SP 800-171) to understand context and intent of the listed practice. Organization Defined Parameters (ODPs) are the standard that should be set by your institution's central authority for Controlled Unclassified Information (CUI). | |||||||||||||||||||||||
11 | F | This cell references any Institutional Governance that is applicable to the NIST Practice. | Map your institutional governance (policies, standards, procedures, and guidelines) to the practice listed. Where possible, add a hyperlink to the governance for easy reference. | |||||||||||||||||||||||
12 | G | This cell cross references the NIST SP 800-171 Objective to NIST SP 800-53 Objectives. | Users should review the resource document (NIST SP 800-53r5) from the NIST Cybersecurity and Privacy Resource Tool (CPRT)to understand context and intent of the listed practice. | |||||||||||||||||||||||
13 | H | This cell is for Users to use the pull-down menu to select the honest and accurate status of the practice implementation. | Users will select from the pull-down menu the appropriate option for the state of the identified Practice. The state option can be modified as the Unit resolves deficiencies and the practice results in a "Fully Implemented" state. | |||||||||||||||||||||||
14 | I | This cell identifies the result of the implentation state for the entire objective. If all Practices are identified as "Fully Implemented" the cell will automatically change to "TRUE". This cell is structured to help calculate the Assessment score. Practices that are identified as "Not Applicable" are not counted as an implemented score and the weighted value will apply as if the objective is Not Met. | No Action - Informative Only | |||||||||||||||||||||||
15 | J | This cell identifies the weight value as identified by the U.S. Department of Defense Assessment Methodology. This cell is structured to help calculate the Assessment score. | No Action - Informative Only | |||||||||||||||||||||||
16 | K | This cell is for Users to describe in detail how a Practice is being achieved or why it is not applicable. | Users will truthfully describe the details to support the selected Practice state of "Fully Implemented" or "Not Applicable". | |||||||||||||||||||||||
17 | L | This cell is for Users to identify the evidence that supports the Practice being identified as "Fully Implemented" or "Not Applicable". | Users will provide the evidence that supports the implementation state of "Fully Implemented" or "Not Applicable". It is acceptable to insert a hyperlink to an internal University resource that is identified in this cell. | |||||||||||||||||||||||
18 | M | This cell is for Users to truthfully describe the details of why a Practice is not fully implemented. This is not intended to be a source of shame, but a source of opportunity to strengthen a Unit's security posture and address the deficiency. | Users will truthfully describe the details to support the selected Practice state that identifies "Partially Implemented" or "Deficiency". The intent is to understand where a Unit needs to remediate and make the needed changes to strengthen their security posture for the University Information Resource. | |||||||||||||||||||||||
19 | N | This cell is for Users to enter an estimated date that they would like to aim for in remediating the deficient Practice. | Users will enter an estimated date that they would like to strive to remediate the deficient Practice. | |||||||||||||||||||||||
20 | O | This cell is to identify a state for the remediation effort. For example a User may write "Waiting on verification from MSP" or "Testing" or any other verbiage that makes sense to the User in where the remediation effort stands. | Users will create a brief description that identifies the current state of the remediation effort. The description is based what makes sense for the User; there is no pull-down menu options. | |||||||||||||||||||||||
21 | P | This cell is for the User to enter any comments they deem relevant and appropriate to highlight actions or state of the remediation effort. Comments should be built upon the previous entries so that a history of all comments remains in this column. | Users will build a historical record of the details related to the remediation effort. Utilizing the [Alt} + [Enter} keys will allow users to create a new line within the same cell to add new comments. | |||||||||||||||||||||||
22 | Q | This cell is to identify the date the remediation effort for the deficient Practice has been completed. This date may be different from the planned implementation date [column N]. There are no penalties if the completed date is past the planned date. | Users will enter the date that the remediation effort has been fully completed. In addition, the User will also update the state of the Practice in Column H. | |||||||||||||||||||||||
23 | The Assessment Score | |||||||||||||||||||||||||
24 | The Assessment Score is automatically calculated based on the values determined on the Practice state (column H). This score is formulated using Boolean Algebra to obtain the measurement as defined in the U.S. Department of Defense Assessment Methodology. Users can use this score as a metric for measuring conformity to the NIST SP 800-171r2 Objectives identified in this workbook. A score will always start out as a negative when no Practices have been assessed. As Practice states are selected, this score will automatically adjust. | |||||||||||||||||||||||||
25 | Resources: (Not a comprehensive listing) | |||||||||||||||||||||||||
26 | NIST Cybersecurity and Privacy Reference Tool | https://csrc.nist.gov/projects/cprt/catalog#/cprt/home | ||||||||||||||||||||||||
27 | DoD CIO CMMC web page | https://dodcio.defense.gov/CMMC/ | ||||||||||||||||||||||||
28 | ||||||||||||||||||||||||||
29 | ||||||||||||||||||||||||||
30 | ||||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | ||||||||||||||||||||||||||
34 | ||||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||