Use these five steps to help you start navigating the cybersecurity compliance space and remain compliant within the complex requirements.
Requirement 3.12.1 of NIST 800-171mandates that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
The assessment should cover all 14families and 110 security requirements. It can be an internally led effort or executed by a third party. At a minimum, contractors are required to perform a basic assessment using the NIST SP800-171 Assessment Methodology. The report is then to be submitted through the SPRS (Supplier Performance Risk System). To learn more about SPRS, click here.
Contractors are required to develop, document, and periodically update their System Security Plan (SSP) to describe system boundaries, environments of operation, security implementation procedures, and how their system interacts with others.
There’s a good chance that your SSP will be one of the first documents you will be asked to produce for an audit. It is imperative that your SSP accurately reflects your current implementation of the controls.
Requirement 3.12.2 (Plans of Action) requires contractors to develop and implement Plans of Actions and Milestones(POAMs) designed to correct deficiencies and reduce or eliminate vulnerabilities in their system.
There’s a good chance that several of the 110 security requirements will not be fully implemented in your organization. These gaps should be exposed in your assessment and POAMs documented.
Mitigate your POAMs to achieve full compliance with NIST 800-171.
Review your POAMs to set the priorities and determine who will lead the mitigation effort for each. One POAM might be as simple as updating Policies and Procedures, one could require the purchase of new software or hardware, and another could require the services of an entire team. The point is, you don't know until you start your assessment and make POAMs an integral part of your ongoing modernization. Remember, a POAM is a Plan of Action!
Cyber criminals do not develop anew method of attack just once a year. New cyber-attacks are now a constant in all business. To maintain compliance, it is critical to have a plan in place for both internal and external resources. Compliance should be part of your day-to-day operations, not a once-a-year drill. Your processes and procedures need to be scalable. As your organization grows, so does your risk exposure to data breaches.
· Develop and distribute your plan to ensure your subcontractors and suppliers meet your compliance requirements.
· Update your POAMs and SSP as your organization evolves.
· Develop a policy and the procedures to respond and report incidents within the required 72-hour reporting period.
If you’re inexperienced at performing cybersecurity assessments, you need guidance and support from a third-party service provider or compliance tool. Hourly rates for services can add up very quickly, making an assessment out of reach for many small businesses. If you’re a small business, we recommend using a Self-Assessment tool to complete as much as possible. When looking for a Self-Assessment tool, ask yourself the following:
Does the tool come preloaded with guidance, recommendations and templates?
ReadyCert has that and 24/7 support to help you get through everything and no hidden fees.
ReadyCert was developed specifically to streamline compliance operations in order to help businesses save time and money on their way to a more secure organization. ReadyCert helps simplify the assessment process, guiding small businesses through the process of self-assessing their solution and get them “Ready for Certification.”
Our ReadyCert team is a combination of compliance and certification experts across multiple industries. We have performed hundreds of assessments and helped organizations from small businesses up to State Agencies to obtain their systems certifications.
If you’d like to explore how ReadyCert can do the same for you, start a free no risk 30-day trial today.
5 Tips to Help you comply with NIST 800-171 and stay competitive in the DoD acquisition process.
Before you can improve, you must take an honest, in-depth look at where you’re at.