Preparing for a self-attestation of NIST 800-171
There is no certification by a third-party assessor, however, the preparation process is the same as when preparing for meeting any other compliance requirements.
After you’ve made the decision to self-attest to NIST 800-171, here’s something to keep in mind when drafting your self-attestation preparation strategy. You may want to create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team will also be hugely beneficial.
The NIST 800-171 process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for your self-attestation. You should account for a loss in productivity, and ensure you are staffed accordingly.
The process can be broken down into three major components:
Step 1: Understanding the NIST 800-171 Requirements
It is important for you to know what the NIST 800-171 requirements are and plan accordingly. NIST 800-171 is broken down into 14 families and 110 security requirements. Each family contains requirements related to the general security topic. The 14 families are:
- Access Control – This family contains 22 requirements that deal with access to networks, systems, and information to ensure only authorized users access the system.
- Awareness and Training – Three Requirements to ensure that system administrators and users are aware of security risks and related cybersecurity procedures, and that employees are trained to carry out security-related roles.
- Audit and Accountability – There are nine requirements in this family and it focuses on auditing and analyzing system and event logs and regular review of the logs.
- Configuration Management – There are nine requirements that cover the proper configuration of hardware, software, and devices across the organization’s system and network.
- Identification and Authentication – There are 11 requirements that ensure only authenticated users can access the organization’s network or systems.
- Incident Response – Three requirements dealing with the capability of the organization to respond to serious cybersecurity incidents.
- Maintenance – Those six requirements provide insight into best practice system and network maintenance procedures.
- Media Protection – There are nine security requirements that help organizations control access to sensitive media.
- Personnel Security – Two security requirements cover the safeguarding of CUI in relation to personnel and employees.
- Physical Protection – Six security requirements deal with physical access to CUI within the organization, including the control of visitor access to work sites.
- Risk Assessment – Two requirements cover the performance and analysis of regular risk assessments.
- Security Assessment – Four requirements cover the development, monitoring and renewal of system controls, and security plans.
- System and Communications Protection – 16 requirements cover the monitoring and safeguarding of systems and the transmission of information.
- System and Information – Seven requirements that deal with monitoring and ongoing protection of systems within the organization.
Step 2: Prepare Materials
In this next phase, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. If you’re a TrustOps user, we’ve got your back. TrustOps helps you automate much of this process, and automatically maps your controls to the NIST 800-171 framework to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, call us… we’d love to have your back, too.
Step 3: Complete Internal Review and self-attest
You must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review you get when you work with us analyzes your gaps against your level of NIST 800-171 (as well as other compliance standards such as HIPAA), and could be used as your self-assessment.
Join the conversation