Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?
Here are 4 simple steps to assess, implement, measure, and maintain compliance.
- Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
- Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
- Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
- Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.
NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.
Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.