Identifying a Certified Third Party Assessing Organization (C3PAO)

SPA Categorization

Some assessors believe that a Security Protection Asset (SPA) includes any systems components that are used in an organizations SSP for supporting evidence.  Other assessors only identify an SPA a systems that provide protection to components as stated in the NIST 800-171 publication.  

Ask your C3PAO if they expect systems mentioned in the SSP for the purpose of providing evidence to meeting an assessment objective an example of an SPA?   Do they believe an SPA has to provide a security function such as a SIEM or EDR?  This will impact the level of effort to provide evidence for an assessment.

NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”.  

Browser used to Access CUI

Many organizations are accessing and modifying CUI documents  through a web browser but have restricted the ability to download and print.  Some DOD components also use the browser for accessing Government information.  One example is the Navy using Flank Speed.   

However, when opening a document in a browser it does process information on the endpoint.  If that endpoint is not part of the organization information system and controlled then it could be a finding.  

Some assessors will fail an organization if they are using a browser on an asset that is not controlled others will not.  As an alternative there are solutions such as VDI or technologies that provide a pixel representation of a browser that would pass assessment.

If you are using a browser to access CUI ask your assessor if they would fail the organization.