Preparing for a self-attestation of NIST 800-171

Preparing for a self-attestation of NIST 800-171 is made easy with TrustCloud! There is no certification by a third-party assessor; however, the preparation process is the same as when preparing for meeting any other compliance requirements.

The People

After you’ve made the decision to self-attest to NIST 800-171, here’s something to keep in mind when drafting your self-attestation preparation strategy. Create a task force of employees from the quality and IT teams, with support from team members familiar enough with your technical systems. Having an executive or manager who owns this process with the team is also beneficial.

The NIST 800-171 process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity and ensure you are staffed accordingly.

The Process

The process can be broken down into three major components:

Step 1: Understanding the NIST 800-171 Requirements

It is important for you to know what the NIST 800-171 requirements are and plan accordingly. NIST 800-171 is broken down into 14 families and 110 security requirements. Each family contains requirements related to the general security topic. The 14 families are:

1. Access Control – This family contains 22 requirements that deal with access to networks, systems, and information to ensure only authorized users access the system.
2. Awareness and Training: This family contains three requirements to ensure that system administrators and users are aware of security risks and related cybersecurity procedures. Employees are trained to carry out security-related roles.
3. Audit and Accountability – This family contains nine requirements, and they focus on auditing and analyzing system and event logs and regular review of the logs.
4. Configuration Management – This family contains nine requirements that cover the proper configuration of hardware, software, and devices across the organization’s system and network.
5. Identification and Authentication – This family contains 11 requirements that ensure  only authenticated users can access the organization’s network or systems.
6. Incident Response – This family contains three requirements dealing with the capability of the organization to respond to serious cybersecurity incidents.
7. Maintenance – This family contains six requirements that provide insight into best practice system and network maintenance procedures.
8. Media Protection – This family contains nine security requirements that help organizations control access to sensitive media.
9. Personnel Security – This family contains two security requirements that cover the safeguarding of CUI in relation to personnel and employees.
10. Physical Protection: This family contains six security requirements that deal with physical access to CUI within the organization, including the control of visitor access to work sites.
11. Risk Assessment: This family contains two requirements covering the performance and analysis of regular risk assessments.
12. Security Assessment: This family contains four requirements that cover the development, monitoring, and renewal of system controls, and security plans.
13. System and Communications Protection: This family contains 16 requirements covering the monitoring and safeguarding of systems and the transmission of information.
14. System and Information: This family contains seven requirements that deal with monitoring and ongoing protection of systems within the organization.

Step 2: Prepare Materials

In this step, create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. To help you achieve this, TrustCloud’s TrustOps application automates much of this process, and automatically maps your controls to the NIST 800-171 framework to assess your systems, policies, and procedures.

Step 3: Complete Internal Review and self-attest

Conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review analyzes your gaps against your level of NIST 800-171 (as well as other compliance standards such as HIPAA), and can be used as your self-assessment.