Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
si-12 |
information handling and retention |
|
|
assessment objective: Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements: |
|
si-12[1] |
handles information within the information system; |
|
si-12[2] |
handles output from the information system; |
|
si-12[3] |
retains information within the information system; and |
|
si-12[4] |
retains output from the information system. |
|
potential assessment methods and objects: Examine: [select from: System and information integrity policy; federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention; media protection policy and procedures; procedures addressing information system output handling and retention; information retention records, other relevant documents or records]. Interview: [select from: Organizational personnel with responsibility for information handling and retention; organizational personnel with information security responsibilities/network administrators]. Test: [select from: Organizational processes for information handling and retention; automated mechanisms supporting and/or implementing information handling and retention]. |
||
