A deep dive into the NIST 800-171 assessment proces

Let us dive deeper into the NIST 800-171 security assessment process from your perspective as an organization preparing for, undergoing, and following up on the assessment with us.

Preparation Phase

1. Understand NIST 800-171 Requirements: The first step may involve understanding the NIST 800-171 guidelines. You don’t have to become an expert – that is what we are for, but at least watch a video or two on Youtube on the topic before you even start searching for an assessment company to help you get ready for certification. The official guidelines outline how to safeguard Controlled Unclassified Information (CUI). They are divided into 14 different security categories, each with its requirements.
2. Establish a Security Team: Assign a team within your organization to oversee the compliance process. This could include a project manager, IT staff, and representatives from various departments who understand the data flows and operations of the company. By ‘security team,’ we don’t mean that you necessarily have to have a dedicated security team. Just decide on who will participate in the assessment from your side. Keep in mind: whoever is present can use this opportunity to ask questions during the assessment and perhaps will be able to fix some findings even before you get the official report. 
3. Data Identification and Categorization: Identify the data that qualifies as CUI within your organization’s networks and systems. Once identified, categorize it according to its sensitivity and the impact it would have on your organization if compromised.
4. DO NOT Conduct a Self-Assessment: We will help you review your cybersecurity controls and compare them with the NIST 800-171 requirements. Document all security policies and controls in place and note any areas where your practices do not align with the standards. You do not have to assess yourself – in fact, it is better if you don’t, regardless if the official guidelines ask you to do a self-assessment. If you don’t have security experts on your team, leave the process to the professionals.
5. Your auditors reate a System Security Plan (SSP): After the assessment is complete, we as your auditrs will create an SSP. The SSP outlines how your organization is currently meeting the NIST 800-171 requirements. This will include implemented security controls and policies, the operational environment, and how your organization intends to meet any unimplemented security controls.
6. Develop a Plan of Action and Milestones (POAM): A POAM details how your organization plans to address any shortcomings identified during the self-assessment. This includes the tasks to be accomplished, the resources required, and the projected completion dates.

Pre-Assessment Meetings

1. Engage a Third-Party Assessor: Hire a third-party security consulting firm to perform the NIST 800-171 security assessment. This ensures an unbiased and comprehensive assessment.
2. Initial Consultation: During the initial consultation, discuss your organization’s current state of compliance, any potential issues you’ve identified, and the timeframe for the assessment.
3. Scope of the Assessment: Collaborate with the assessor to define the scope of the assessment. This typically involves specifying the systems, locations, and departments to be included.
4. Pre-Assessment Meeting: Prior to the assessment, hold a meeting with the assessor and your security team. During this meeting, present your SSP and POAM, and discuss any potential issues or concerns.

Assessment Process

1. Conduct the Assessment: The assessor will examine your organization’s policies, procedures, and systems to determine compliance with NIST 800-171. This may include document reviews, personnel interviews, and technical inspections of your IT infrastructure.
2. Identify Shortcomings: The assessor will identify any areas where your organization’s security measures do not align with the NIST 800-171 guidelines.
3. Document Findings: The assessor will document their findings in a detailed report. This report will include an overview of the assessment, identified issues, and recommendations for remediation.

Post-Assessment Meetings

1. Discuss Findings: After the assessment, meet with the assessor to discuss the findings. The assessor will walk you through the report, explain any shortcomings, and suggest remedial actions.
2. Develop a Revised POAM: Based on the assessment’s findings, update your POAM to address any newly identified issues.
3. Implement Changes: Assign responsibilities for implementing the remedial actions outlined in the POAM. This may involve enhancing security controls, updating policies, and providing additional training for personnel.
4. Post-Assessment Review: Once all remedial actions have been implemented, schedule a follow-up meeting with the assessor to verify that the changes meet NIST 800-171 requirements.

Continuous Monitoring

1. Monitor Changes: Regularly review and update your security controls and policies to ensure ongoing compliance, especially when making significant changes to your systems or operations.
2. Annual Assessment: Schedule annual assessments to stay on top of your organization’s compliance with NIST 800-171.

This overview offers a step-by-step guide for companies preparing for a NIST 800-171 security assessment. By taking a systematic and comprehensive approach, you can ensure your organization is well-prepared for the assessment and can address any compliance issues effectively.

Remember, each organization is unique, and the exact process may vary based on specific operational and technological circumstances. Always consult with a cybersecurity professional for tailored advice.