Achieving NIST 800-171 Compliance Before December 2017

By Michael Bailie • June 23, 2017

Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?

Here are 4 Simple Steps to Assess, Implement, Measure, and Maintain Compliance

  1. Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
  2. Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
  3. Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
  4. Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.

The Bottom Line

NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.

Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.

Cybersheath Blog

CMMC Compliance Dashboard: Gain New Visibility into Compliance

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance. And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

How to Offboard Your Managed Services Provider

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft