{"id":218,"date":"2024-12-17T22:22:53","date_gmt":"2024-12-17T22:22:53","guid":{"rendered":"http:\/\/mayanktrivedi.net\/technotes\/?p=218"},"modified":"2024-12-17T22:22:53","modified_gmt":"2024-12-17T22:22:53","slug":"cui-raci-for-nist-800-171-controls","status":"publish","type":"post","link":"http:\/\/mayanktrivedi.net\/technotes\/2024\/12\/17\/cui-raci-for-nist-800-171-controls\/","title":{"rendered":"CUI &#8211; RACI for NIST 800-171 Controls"},"content":{"rendered":"\n<p>Creating a RACI matrix (Responsible, Accountable, Consulted, Informed) for NIST 800-171 controls can help clarify roles and responsibilities when implementing these security requirements for the protection of Controlled Unclassified Information (CUI). Below is a high-level overview of how you can assign RACI roles to some of the control families outlined in NIST 800-171. This is just an example, and you would need to customize it to your organization.<\/p>\n\n\n\n<p><strong>NIST 800-171 Control Families and Sample RACI Matrix<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" src=\"http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image-1024x726.png\" alt=\"\" class=\"wp-image-219\" srcset=\"http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image-1024x726.png 1024w, http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image-300x213.png 300w, http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image-768x544.png 768w, http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image-780x553.png 780w, http:\/\/mayanktrivedi.net\/technotes\/wp-content\/uploads\/2024\/12\/image.png 1466w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Explanation of Roles:<\/strong><\/p>\n\n\n\n<p>\u2022 <strong>Responsible (R)<\/strong>: The person(s) who do the work to achieve the task.<\/p>\n\n\n\n<p>\u2022 <strong>Accountable (A)<\/strong>: The person who is ultimately answerable for the task\u2019s completion.<\/p>\n\n\n\n<p>\u2022 <strong>Consulted (C)<\/strong>: Those whose opinions are sought before a decision or action is taken.<\/p>\n\n\n\n<p>\u2022 <strong>Informed (I)<\/strong>: Those who are kept up to date on progress or decisions.<\/p>\n\n\n\n<p><strong>Example for Control Family: Access Control (AC)<\/strong><\/p>\n\n\n\n<p>\u2022 <strong>Responsible<\/strong>: IT Security Team \u2014 Responsible for implementing access control mechanisms, enforcing least privilege, and ensuring multi-factor authentication.<\/p>\n\n\n\n<p>\u2022 <strong>Accountable<\/strong>: CISO \u2014 Accountable for ensuring access control measures are adequate and effective.<\/p>\n\n\n\n<p>\u2022 <strong>Consulted<\/strong>: Risk Manager \u2014 Consulted to assess potential risks associated with access control.<\/p>\n\n\n\n<p>\u2022 <strong>Informed<\/strong>: Compliance Officer \u2014 Informed about access control policies to ensure compliance with NIST 800-171.<\/p>\n\n\n\n<p>This RACI matrix provides a starting point to define who is involved in meeting NIST 800-171 requirements and what their roles are. You can adjust it depending on your organization\u2019s structure, resources, and specific compliance needs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Creating a RACI matrix (Responsible, Accountable, Consulted, Informed) for NIST 800-171 controls can help clarify roles and responsibilities when implementing these security requirements for the protection of Controlled Unclassified Information (CUI). Below is a high-level overview of how you can assign RACI roles to some of the control families outlined in NIST 800-171. This is &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,29,5,17,15,26,31,97],"tags":[79,81],"class_list":["post-218","post","type-post","status-publish","format-standard","hentry","category-compliance-management","category-cyber-security","category-data-security","category-governance-risk-and-compliance","category-grc","category-information-security-controls","category-information-security-risks","category-nist-800-171","tag-cyber-security","tag-data-security","entry entry-center"],"_links":{"self":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/comments?post=218"}],"version-history":[{"count":1,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":220,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/218\/revisions\/220"}],"wp:attachment":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/media?parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/categories?post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/tags?post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}