CKSS offers a free NIST 800-171 GAP Analysis. Fill out the form to the left and also download our free white paper on DFARS compliance.
ROADMAP FOR COMPLIANCE
For compliance best practices, contractors should consider the following:
- Consult with legal counsel to determine contracts that are subject to the new rule and contractor
- Seek accounting advice to capture costs associated with implementing the security safeguards.
- Engage the services of an outside provider for advisory services, gap analysis, and implementation of required controls.
- Hire an outside consultant to conduct an independent risk assessment and to ultimately validate
the various safeguards implemented during the remediation phase.
- Conduct continuous monitoring activities.
- Contact CKSS for a more detailed approach to compliance
Below are the recommended controls that are required to ensure the confidentiality of CUI and NIST Compliance based on SP 800-171:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment & Authorization
- System and Communications Protection
- Three exceptions include: (i) CP-9 from the contingency planning family; (ii) a requirement to develop and implement a system security plan (derived from PL-2) from the planning family; and (iii) a requirement to implement system security engineering principles (derived from SA-8).
To ensure that security control deployments provide protection sufficient to address emerging threats, organizations are strongly advised to review the complete listing of SP 800-171 controls and compare it to their individual Security Plans. Contractors have to go the extra mile and implement nonfederal organization (NFO) controls. These controls are expected to be routinely satisfied by nonfederal organizations without specification. The government assumes that the contractor has policies, procedures, and security Plans in place that are the fundamental building blocks for a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cyber Security incidents. However, the incident response plan control (IR-08) is listed as an NFO control.
LEARN MORE ABOUT OUR NIST DFARS TEMPLATESCLICK HERE