NIST 800-171 Doesn't Have To Be Hard
If you are looking for NIST 800-171 compliant cybersecurity policies, standards, procedures, SSP and POA&M templates, then you have found the right place! That is what we do:
NIST 800-171 & CMMC 2.0 Compliance
Whether you are a prime or subcontractor, NIST 800-171 compliance is a topic that you should take very seriously. What can possibly go wrong with non-compliance in a contract with the U.S. Government?
Contract Termination. It is reasonably-expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS or FAR requirements, since it is a failure to uphold contract requirements. Subcontractor non-compliance may cause a prime contractor to be non-compliant. Both the prime and subcontractors face contract termination for non-compliance.
Criminal Fraud. Within scope of the False Claims Act, if a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a contract-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS or FAR cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. NIST 800-171 applies to both Department of Defense (DoD) contractors, as well as contractors to the US Federal government. Ensuring alignment with NIST 800-171 requirements does not have to be complicated, but it does need to be thorough, since not all cybersecurity frameworks will provide you with the appropriate coverage.
The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171.
Essentially, this means that only the NIST 800-53 framework is going to meet DFARS requirements of NIST 800171 to protect both Controlled Unclassified Information (CUI), as well as Non-Federal Organization (NFO) controls. ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage, so it is best to avoid those frameworks unless there is a clear business need that will require the addition of numerous controls to make up for their shortfalls.
Understanding NIST 800-171 Compliance
We put together a free guide to help identify what is in scope for NIST 800-171. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. When the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
When you have a firm handle on what CUI is in your environment, your next step is to identify what NIST 800-171 controls are applicable. This gap assessment will identify the controls you need to have policies, standards and procedures in place to provide evidence of both due care and due diligence.
NIST 800-171 Compliance Documentation
To quickly summarizes requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:
Cybersecurity policies, standards & procedures
System Security Plan (SSP) (requirement #3.12.4)
Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
The good news is ComplianceForge has this documentation - you can buy it online and have it in as little as the same business day!
Digital Security Program (DSP) Most popular product for organizations that must address more than just a single framework (e.g., NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). Maps to over 100 statutory, regulatory and contractual cybersecurity and privacy frameworks to create a hybrid approach to cybersecurity policies, standards, controls and metrics. Provides 1-1 mapping with the Secure Controls Framework (SCF), so you can easily align your policies, standards and metrics.
NIST-Based Written Information Security Program (WISP) NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format. The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program. Each of the NIST 800-53 rev4 families has a policy associated with it, so there is a total of 26 policies. Under each of the policies are standards that support those policy statements. T
NIST 800-53 Cybersecurity Standardized Operating Procedures Template (CSOP) The NIST 800-53 version of the CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented. This is an editable Microsoft Word document. Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement.
System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates (SSP) These are fully editable templates. One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations. One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.
Information Assurance Program - control validation testing
Risk Management Program (RMP) The RMP addresses the “how?” questions for how your company manages risk. This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk. In summary, this addresses fundamental needs when it comes to risk management requirements: How risk is defined. Who can accept risk. How risk is calculated by defining potential impact and likelihood.
Cybersecurity Risk Assessment (CRA) Template The CRAT supports the RMP product in answering the “how?” questions for how your company manages risk. This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments. The CRAT directly supports the RMP, as well as the WISP and DSP policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.
Continuity of Operations Program (COOP) The COOP addresses the “how?” questions for how your company plans to respond to disasters to maintain business continuity. This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for disaster recovery and business continuity operations. The concept of “continuity operations” spans incident response to disaster recovery to business continuity operations.
Vulnerability & Patch Management Program (VPMP) The VPMP addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations. This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing vulnerabilities. In summary, this addresses fundamental needs when it comes to vulnerability management requirements.
Vendor Compliance Program (VCP) The VCP addresses the “how?” questions for how your company manages risk with third parties (e.g., service provides, vendors, contractors, etc.). This is an editable Microsoft Word document that is essentially a “mini-WISP” document that is intended to be shared with third parties, as compared to sharing detailed policies and standards. The VCP contains concise cybersecurity-related expectations that your company expects your third parties to abide by.
Security & Privacy by Design (SPBD) The SPBD addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized. This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis. The CIRP is based on numerous frameworks, but the core is NIST 800-160.
NIST 800-171 "Easy Button"
The NIST 800-171 Compliance Program (NCP) is the most cost-effective and simple solution we offer. The NCP close as you can get to an "easy button" for NIST 800-171 compliance documentation, since it is entirely focused on NIST 800-171 and nothing more.
The NCP comes with all of the documentation that you need to comply with DFARS/NIST 800-171 cybersecurity requirements:
NIST 800-171 Cybersecurity Policies and Standards - policies and standards specific to NIST 800-171 that come in an editable Microsoft Word format.
NIST 800-171 Procedures - cybersecurity procedures that are directly linked to the policies and standards in an editable Microsoft Word format.
System Security Plan (SSP) Template - SSP template that is specific to documenting how your Controlled Unclassified Information (CUI) is stored, transmitted and processed.
Plan of Action & Milestones (POA&M) Template - POA&M template that allows you to easily track any control deficiencies.
Supplemental guidance documentation - in addition to an Incident Response Plan (IRP) and other useful templates, the NCP comes with a complete breakdown of all CUI and Non-Federal Organization (NFO) controls with guidance on what is expected to be in place from an auditor's perspective.