NIST 800-171A provides assessment procedures that are used during assessments of the NIST 800-171 security requirements.
Most security requirements contain multiple testable requirements, and as a result they have many determination statements.
It is critical to self-assess using the assessment procedures. An auditor will be using them, and you need to self-assess using the same level of rigor.
320 Determination Statements
NIST 800-171A includes 320 determination statements.
NIST 800-171A Assessment Procedure Structure
An assessment procedure contains the following:
- A security requirement
- An assessment objective and its associated determination statements
- Assessment methods and objects
NIST 800-171 Requirement
This is the NIST 800-171 ID and requirement language that will be assessed.Assessment Objective
The assessment objective contains determination statements.Determination Statements
The determination statements have an identifier (ie 3.1.3[b]) and a statement that will be assessed.
The determination statements are granular and decompose the requirement language into distinct testable statements.
There is usually more than one determination statement per assessment objective.Assessment Methods and Objects
Assessment Methods and Objects
The assessment methods and objects contain guidance on how the requirement can be assessed.Assessment Methods
The assessment methods include the following:
The assessment objects are in the text AFTER the assessment method (ie examine / interview / test).
NIST 800-171A provides assessment procedures for the security requirements in NIST 800-171.
An assessment procedure consists of an assessment objective, the objective's determination statement(s), and a set of potential assessment methods and assessment objects that can be used to conduct the assessment.
Assessment objectives are containers for determination statements.
Determination statements are the individual tests included in an assessment objective. An example of a determination statement is 3.1.1[a]: "Authorized users are identified."
NIST 800-171 r2
Learn about NIST 800-171 and explore its 110 security requirements.
Learn about the CMMC and explore its requirements.