Is your organization required to be NIST 800-171 compliant? If so, you may have to put in some work to implement the necessary controls to secure your IT infrastructure in a way that is compliant with NIST 800-171 specifications.
Below is a brief checklist of what your business may need to do to become compliant. If you believe your organization to be lacking in any of these areas, CorpInfoTech is ready and willing to help you get on track.
NIST 800-171 Checklist
Compliance Scope
The first step is to understand the scope of what NIST 800-171 entails for your business. With 110 controls divided into 14 control families it may be intimidating for your business to start on your compliance journey. Taking a look at NIST 800-171 can determine what work needs to be done initially including awareness training, system boundaries, security practices already in place, etc. Determine what pieces of your network fall under the compliance boundaries and make the necessary divisions within your IT infrastructure.
Documentation
Documentation is always important. Having proof and documents outlining what work has been done to comply with regulations will be required by auditors and third-party assessors. Your compliance documentation should include system architecture, your organizations data flow process, what your system boundaries are, and what controls you have implemented. Also include what changes and controls you plan to implement in the future to mitigate any gaps in your compliance.
Gap Analysis
A quality gap analysis will determine where your weaknesses are on your way to full NIST 800-171 compliance. Include these gaps within your documentation to make sure you know what your need to fix and what controls will remedy to issue. Additionally, focus first on the most fundamental and primary controls that are to most integral to security, then work your way down the list of controls.
Plan of action
The next step once you've established where your gaps are is to create a plan of how you are going to begin implementing the necessary compliance controls. Your plan should be included in your documentation and outline what controls have been implemented, what your response plan is in case you have a breach of CUI, and the steps you will take to fill any gaps in your security. A Plan of Action & Milestones (POAM) will outline how you intend to complete this project.
Audit Documentation and Evidence
In order to become fully NIST 800-171 compliant you will need to be audited by a third-party organization. Going hand in hand with the documentation step you will need to know what your audit is specifically looking for and what steps you need to take to pass compliance. Once accomplished you must take the steps to implement any controls you will need to pass the audit. Make sure to include the details of these changes within your documentation in order to produce evidence that you have followed all the necessary requirements.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.