Three Things to Consider Before Starting Your NIST 800-171 Implementation

By Kristen Morales • October 7, 2019

Your assessment is behind you. You have been working to create a System Security Plan (SSP) detailing a Plan of Action & Milestones (POA&Ms) based on your assessment findings.  Your goal, to remediate gaps discovered to ensure NIST 800-171 compliance with full implementation of all 110 security requirements.

Think of your SSP and POA&Ms as the required foundation and roadmap to get you to compliance. With over 110 security requirements in NIST 800-171, you need this layer of groundwork and direction to effectively tackle what is likely the most significant aspect of NIST 800-171 compliance, remediation or full implementation. So, where to start when working toward implementation?

 

3 Things to Consider Before Diving into Your NIST 800-171 Implementation:

 

1. Project Management

The SSP and POA&Ms outline the plan and timeline, but who is responsible for owning the outcome? A dedicated resource whose primary focus is ensuring the implementation of the plan is the best way to guarantee success. Implementing outstanding NIST 800-171 requirements is a large project but a project, nonetheless. By assigning a project manager, you have a clear leader to accept accountability, coach, and motivate your team. Also, they will ensure the right processes, resources, and tools are available to keep the project on schedule and within budget.

 

2. Staff Augmentation

NIST 800-171 has been a contractual obligation since December 2017, maybe you’re new to the DoD acquisition process or have been contracting with the DoD for some time. If you are the latter, there is a good chance one reason you are not compliant today is due to a lack of resources. As we all know, NIST 800-171 is in addition to your day job, so making it a priority is challenging. If you are already struggling to keep up with your day job due to constrained resources, then NIST compliance may not seem possible. If hiring a long-term employee is not an option contracting a third-party to partner with during the NIST 800-171 compliance project can help alleviate the stress of limited or already overworked staff.

 

3. Experience

Maybe you have the resources but lack the expertise.  Missing the experience, specifically, with NIST 800-171, within your team, can reduce efficiency ultimately increasing the cost.  The difference between how you handle the implementation for a tier 1 level Prime versus a small 1 to 10-person Subcontractor are significantly dissimilar, yet the same requirements apply.

We are often asked questions like, “Does CyberSheath have a list of tools for a business our size?” ” Does CyberSheath have experience implementing the NIST 800-171 controls for similar-sized businesses?”

Questions like this rely on our 10+ years of experience and 100+ successful NIST 800-171 implementations. Experience allows for decisions to be made in a manner that enables compliance as a documented, automated outcome of day-to-day operations. Hiring a third-party that has demonstrated NIST knowledge will allow your team to learn and grow through the lessons learned and best practices formed by other’s past experiences. More importantly, enable your organization to continue the work of maintaining compliance after the greater effort is complete.

 

Start Your NIST 800-171 Implementation Today

Overall, all three areas of consideration can be handled internally within your organization. The first step being your assessment to discover gaps.  Second, putting the SSP and POA&Ms in place to address those gaps. Lastly, creating a team dedicated to ensuring all 110 security requirements are implemented. However, partnering with a third-party organization will help ease the pains of growing an internal staff or burdening a current resource to manage the project. If partnering with a third-party interest you, check out our NIST Managed Services.  CyberSheath’s Managed Services are specifically designed to address the hurdles you will need to overcome during your implementation of the NIST requirements.  Learn More

 

Business photo created by pressfoto – www.freepik.com

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft