The twelfth family in the NIST 800-171 standard is Security Assessment. This family addresses the effectiveness of your cybersecurity processes and procedures.


Why is Security Assessment important?

Cybersecurity threats change over time. We must be ready to adapt and update our security processes and procedures. A security plan that works for us today will not be the final solution for all time. It is important to test the effectiveness of our security plan through security assessments. Security assessments should be regularly performed to test our security controls, how well threats are identified and how quickly we are able to respond to threats. Through these assessments, we can identify weaknesses in our process and procedures and take the steps necessary to improve our security plan.


What is Security Assessment about in NIST 800-171?

The main focus of this family is on continuous improvement of your security plan. The key points within the Security Assessment family are:

  1. Develop a security assessment plan—define how security controls will be assessed and by whom. Ensure that testing is done to meet the most up-to-date security requirements. Maintain documentation of the testing parameters, dates and results.
  2. Develop a plan of action for correcting any weaknesses found— a plan of action to correct weaknesses should include milestones to document progress. Update the plan of action regularly to reflect completion of outcomes.
  3. Continuously monitor security controls—the process of security assessment is ongoing; to ensure the greatest level of effectiveness of security controls, monitor them on an ongoing basis.


Check back for our next blog post and learn more about the System and Communication family. You may also be interested in reading our last post on Risk Assessment.



Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.