As you work to continue toward achieving compliance with NIST 800-171, there are tools and approaches that support your journey. Compliance with that standard is required today, so it’s important that your company take action now.
CMMC is coming soon as well. Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity (DCIO(CS)), Office of the Chief Information Officer recently stated, “(Companies) need to be moving towards compliance because here in the near future once CMMC goes through the process, they are going to be required to demonstrate that compliance before they can garner an award of a contract that holds controlled unclassified information. So, there is no time like right now to comply, to figure out what you need to do. … Companies are required today to be compliant with 800-171 and so companies need to get on top of it.”
AIM is your CMMC insurance policy
At CyberSheath we have developed the AIM approach where we assess your current state, then tailor and deliver the solution to help you gain full compliance with single-source ease, efficiency, and accountability.
|Assess||Assess existing infrastructure and provide a detailed report of what is needed.||Step 1 – Assess for compliance with NIST 800-171.|
|Step 2 – Generate a system security plan (SSP).|
|Implement||Implement all elements—write all policies, plans, and time frames, install all technical controls—required for compliance.||Step 3 – Document plans of action and milestones (POA&Ms).|
|Step 4 – Implement the security requirements.|
|Manage||Continuously collect, review, and preserve evidence of your ongoing compliance. Remediate compliance gaps as you find them.||Step 5 – Maintain compliance.|
Assess current operations for compliance
Start with a gap assessment of your current people, process, and technology against compliance with NIST 800-171. When done correctly, an assessment will directly link to Control 3.12.1 of NIST 800-171 which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.” It also gives you a clear view of your current compliance with all 110 requirements and lays the foundation for you to generate an SSP and associated POA&Ms, both of which are NIST 800-171 requirements.
Implement the required controls
Your POA&Ms are your path to compliance. Executing them will probably be a full-time effort. Bear in mind that implementing the requirements will likely be the most resource intensive phase as it is a hands-on technical effort. We advise dedicating a team to the effort and having a project manager track progress. Also, don’t forget that you must flow DFARS/NIST 800-171 down to your subcontractors. Here’s a breakdown of the requirements.
Security requirements: 18 requirements worth 56 points
These requirements fall to an organization’s cybersecurity function for implementation. They include:
- Logging and Monitoring – Central collection of security-relevant log sources, along with the operational processes to monitor logs and alerts for security events.
- Vulnerability Management – The ability to evaluate the organization’s technology environment to detect and report on infrastructure and application vulnerabilities.
- Incident Response – The processes that define and operationalize the preparation, detection, triage, containment, and corrective actions as it relates to security events and incident declaration.
Technology requirements: 67 requirements worth 193 points
An organization’s IT function is responsible for implementing these items including:
- Identity and Access Management – The means to manage identity, account creation, and access management.
- Patching and Maintenance – The ability to manage updates and patching to platforms and systems that exist within the environment.
- Asset and Configuration Management – Inventorying of assets, and the ability to apply and maintain a secure configuration across technology services.
Compliance requirements: 25 requirements worth 64 points
These requirements usually are the responsibility of an organization’s compliance department to implement. Example processes that are required include:
- Security Assessment – The means to regularly assess and monitor the state of controls for an organization or system.
- System Security Planning – The mechanism to document details about an organization or system and provide narratives for how control requirements are implemented.
- Plan of Actions and Milestones – The process to document and manage corrective actions from sources such as assessment output.
Once you have implemented all of the controls, you need to plan for ongoing compliance in a way that meets the requirements as your business grows. Be sure to document and automate reporting and plan for ongoing operation expenses related to maintaining compliance. Also modify existing managed services contracts to reflect compliance requirements and update your SSP, periodically, as required.
Keep in mind that full compliance is documented, repeatable, and scalable. It incorporates:
- Shared Responsibility: The ownership for compliance never rests with a single department, employee, or vendor. Documenting those accountabilities is critical to success.
- Continuous Compliance: Auditability of compliance should be continuous to avoid regression to non-compliance. Programmatic regular validation ensures alignment with requirements. Discovery and remediation of gaps in operational or compliance capabilities should occur naturally in a well-designed program.
- Integrated People, Processes, and Technology: Focusing on licensing and technology alone will cause you to overspend and undercomply. Compliance requires the people and processes to make the technology work.
As your company pursues its compliance goals, remember that NIST and CMMC compliance can be pursued in parallel for protecting CUI. Use our AIM process to bring order to the chaos.
Following a documented, scalable, and repeatable process grounded in actual requirements will guide you to compliance. If you need any assistance, contact the experts at CyberSheath.