General Rule:
Unified Compliance differentiates mandates from informational content by adhering to the guidance provided by the Authority Document (AD). Typically, AD guidance regarding which citations constitute requirements can be found in sections such as Introduction, Purpose, or Applicability.
When an AD does not explicitly identify its requirements, Unified Compliance classifies citations as mandates when they impose an obligation. This classification is determined by analyzing the citation’s language, focusing on imperative verbs and terms such as “must” and “should.” Citations that do not impose an obligation are categorized as informational.
Criteria for Distinguishing Mandates from Informational Content:
✅ Mandates:
•Citations explicitly identified by the AD as requirements that are subject to audit.
•Citations that create an obligation, as indicated by imperative language or the use of terms such as “must” and “should.”
ℹ️ Informational Content:
•Citations explicitly identified by the AD as informational or advisory.
•Citations that use permissive or discretionary language, such as “can” or “may.”
Unified Compliance applies this framework to ensure accurate classification and compliance with Authority Document directives.
For instance, in NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, security requirements are presented as follows:
We classify the bolded citation as a mandate because the Authority Document explicitly identifies it as a requirement. In contrast, we label the “Discussion” section as informational, as the introduction to Chapter 3 clarifies that this content is “informative, not normative.”
If NIST SP 800-171 didn’t include this clarification, we would rely on the language used in the citation to assess whether it’s informational. The discussion section avoids imperative language or obligation-driven phrasing, instead offering explanatory content and implementation guidance.