S2 E7: Achieving NIST 800-171 Compliance Part 2

Listen to part 1 of the Achieving NIST 800-171 Compliance conversation.

Achieving NIST 800-171 Compliance Part 2

Transcript

Jordan Eisner: Welcome back to Compliance Pointers. I’m Jordan Eisner, your host, VP of Sales at Compliance Point, and today we’re going to be picking back up and concluding our Achieving NIST 800-171 Compliance Conversation with Security Consultants, Chris Abacon and Drew Wilcox.

In part 2, we’re going to explore assessing your current security program against NIST 800-171 standards, laying out a roadmap for compliance, and Chris and Drew will talk about the strategies they use when helping our customers achieve their NIST goals.

So organizations, some getting into these sort of things might not have done anything in this realm. Right. And they know that they’ve got a maybe not a huge mountain to climb, but they’ve got work to do in terms of building a security program if they want to work right on the federal side here with some of these organizations. But there are companies that fall somewhere in between that and certified, which is they have some sort of program already, right? Or maybe they’ve done something sock to ISO. I don’t know, maybe they’ll have this CSF or something, but they they have a feeling that they’ve got some good posture. They got some things to work off.

So what can organizations do to understand their existing program or how their existing program measures up to NIST requirements and what changes may be needed to become compliant with 171.

Drew Wilcox: Awesome question. You throw out a bunch of different frameworks. Let’s add those to the list, all the acronyms.

No, so I think a good part of this is really just knowing where you are. You can’t really build on anything unless you know where you’re at. It is like building a house, you can’t build the house till you have the foundation.

So, you know, really, the first step, I think, is it relates to the topic of 800-171 or, you know, if we introduce CMMC, really understanding what your requirement is and you will have that in your contracting language.

So as Chris mentioned, or as I mentioned, the FAR clause at the beginning and Chris mentioned the DFAR clause pertaining to FCI information or CUI information, knowing which one you have, because knowing which one you have will tell you which requirements that you need to meet.

OK, that’s step one. The second part, once you know what you have and you know what you have to meet, you need to understand the framework and topic of discussion is the 800-171, which is out there. And that focuses on protecting CUI. It lays out all of the requirements. It talks about basically start to end point of kind of how all this became to be. But there is another framework that goes on to this that that many know some people miss, but we’ll put it out there. It’s the NIS 800-171A and the 171A is the specific framework containing information on how you assess yourself or if you’re a third party, a C3PAO, an auditor like Chris mentioned, how you assess other organizations.

So it has all of the requirements. It talks about the different assessment methods. So, you know, testing, controls, examining or interviewing those three different methods. But the biggest thing that it has is it has the assessment objectives under every requirement, which could range from one assessment objective for one requirement or five per one requirement. But it will drill down on how you meet each requirement.

So understanding both of those frameworks on top of knowing what you have is your first two steps.

And once you kind of have a picture of what you have and what to do with it from the framework, understanding who your stakeholders are in this process, understanding their roles and responsibilities so you can know who to talk to and who owns systems or who owns data or who owns different entities of the organization. And then once you kind of move on to that, understanding where this FCI or the CUI data is sitting, you know, are you hosting it locally or are you hosting it in a cloud? Is it a hybrid environment? Really diagramming things, you know, fundamental element of IT really is diagramming and architecting.

So, you know, data flow diagrams or infrastructure diagrams or, you know, web flow diagrams for how things flow from one web application to the other. Those are kind of your three. We’ll call those your three foundational steps before you can get this get things off the ground and moving in the right direction of 800-171.

Chris Abacon: Yes, really, from this from that standpoint, at least from the NIST perspective, and in this case, 800-171. Understand that to me, 800-171 alpha, so 800-171A is really the answers to the test, right? You’re looking at, like as Drew said, this is what an auditor is, is a third party assessment. This is what an agency will be utilizing to assess the current environment of said organization.

But yeah, so really, an organization should be using 800-171 alpha, right? They should be doing a review of their current policies and procedures, right? Making sure their identity and access management is implemented, making sure they have the applicable controls implemented. And really, like a big one is really an inventory of IT assets to include hardware, software, network, data and data storage solutions.

Right. So, you know, really, that one’s really important to me because most companies out there, most will not have an IT inventory. Right. Really something secondary until it’s like for it’s that audit crunch, right? Until somebody asks for it, you’re not going to get it. But really, an IT inventory is such a huge maturity practice that I think any organization will have a huge benefit from that.

And then really, like then conducting a risk assessment, an internal risk assessment based on all of the gathered artifacts as you compare contrast to 800-171.

And really, that’s where we come into the gap analysis. Right. So you compare what you have. Let’s call it just for simplicity sake, you’ve got 110 requirements. You’re meeting 80 of them. Right. Make sure you’re comparing those requirements and really outlining which of those 30 requirements really need to be focused on and put them in that plan of action and milestones prioritized. Right. Because as mentioned earlier, we’ve got to enter your self-attestation, right? Your self-assessment into SPURS. Right.

SPURS is interesting because the point system is weird when you first look at it. So the SPURS scores go from anywhere from negative 203 to 110, which means you’ve satisfied all the requirements. Right. But to certain point requirements. So you have to make sure that you hit every wicked of a certain control based on 800-171 alpha. So you get full points for those.

So let’s say an assessment requirement has five objectives within 800-171 alpha. But if you only meet four of those, you’re not going to get full five points. Right. So that’s just one example. Really identifying those gaps and deficiencies in your control mission. That’s what’s going to bring you to that success. And that’s where that’s really where a lot of the work should be focused on.

Jordan Eisner: Did you say negative zero?

Chris Abacon: Negative 203 to 110.

Drew Wilcox: It’s reverse golf.

Chris Abacon: Yeah, reverse golf. Right.

Drew Wilcox: We’re going back to PARP.

Jordan Eisner: There you go. OK. All right. My head’s spinning.

So as organizations begin to lay out their roadmap then, right, Chris, you talked about just then the importance of the gap analysis, right?

And that’s going to uncover what do they need to know and what are some recommendations you have for starting on their roadmap, their journey towards achieving compliance?

Drew Wilcox: Yeah, so what they need to know and some recommendations that we have. Really a big thing that you need to know and some recommendations is understanding that this is a timely process. There’s a lot of data out there in the industry. And I’ll just throw out some time frames like, you know, average small to medium-sized business implementation for 800-171 could be 12 to 18 months. Just, you know, throwing out some numbers.

But a big factor with this is maturity level. So earlier, Jordan, you mentioned, you know, somebody might do an assessment against CSF. They might have been running their program off of this framework for 10 years. OK, well, they might be very mature. You might crunch that time down to two months. I don’t know. It might just be some new documentation and they’re good to go. But, you know, understanding that is a timely process and timely process is downstream of how mature you already are.

But there are other things that you need to consider, and that’s budget-related. This is a huge topic surrounding 800-171 and CMMC in the profession right now is how much this could cost. And I will not throw out a number with it. There are some recent articles released by the Pentagon last month, you know, talking about this could be anywhere from a couple thousand dollars for the lower end of 800-171. So the 15 requirements or, you know, one hundred thousand dollars plus for, you know, the 110 requirements. So, you know, factoring in the budget constraints to this as well.

And, you know, really the biggest thing of how can you figure this out? We’ve mentioned it. A gap analysis is huge. Figuring out, you know, where you sit today, developing a remediation plan to figure out how you need to get from your as is to your to-be state and just taking a step back and understanding if if that, you know, rubber can meet the meet the road there with the force you have coming against you to kind of climb this mountain.

So really, it revolves around just, you know, how mature are you right now? Understanding this is a timely process, understanding this is going to cost some money and really just understanding where you’re at to kind of build a picture of how much it’s going to take to get you where you need to go.

Chris Abacon: Yeah, absolutely. And a big part of that is a remediation plan, right? So I want to dive deeper into a little bit of the remediation plan in a POA&M. So just understanding, are you DoD affiliated? You know, just just making sure that you have that you’re making sure that you’re creating the right product for your intended audience.

Right. So just kind of diving deeper into SPURS and see the POA&M.

So what’s interesting based with this proposed rule for CMMC. So POA&M are allowed under certain conditions. But there are five hard stop. Right. There’s certain requirements. I’m not going to go into them in detail today, but there’s certain requirements that, for example, if you don’t meet them, you cannot create a POA&M.

So in addition to that, so understand that within SPURS, right, within CMMC, there’s certain requirements that are one point, three points and five points. Right. So but you cannot POA&M items with that have a SPURS score of three or five. So really that talking about statistics of that. Right. So really, 215 of the 320 assessment objectives are you cannot put in a POA&M. So those that’s about 67 percent that’s connected to a three or five point SPURS score. So really only thirty three percent or one hundred five of three hundred twenty assessment objectives can be POA&M. So those are one point score. So just want to keep that in mind to really, really focus in on those three and five pointers based on 800-171 alpha and really make sure you’re digging deep and making sure that all of those are satisfied to make it a POA&M.

Jordan Eisner: So. Safe to say you guys never worked in any of this before, right? You don’t know much.

Chris Abacon: Yeah, it’s just a little bit of experience there.

Jordan Eisner: All right. So it’s clear you guys have a plethora of knowledge in this. I know that in your time here, you’ve worked with organizations on NIST, right. And obviously previously you don’t have the ability to speak to it like you like you do without great experience in it and other security standards.

So walk us through a feel for our listeners, how you engage with customers and how you help them achieve their compliance goals for Drew and Chris specifically.

But maybe a CompliancePoint approach to a little, little shameless plug on our end. But truth be told, right, how do we approach it? How do you guys approach it with this expertise and put it into pragmatic terms and phases for your customers?

Chris Abacon: Yeah, absolutely. So really, we at CompliancePoint would really help clients really with the assessment and identification of their current security posture. So we’re lucky enough to be utilizing our GRC tool, Hyperproof, really to help us automate a lot of this process. But really, that helps us with audit preparation based on the requirements of the client. Again, they may be PCI. It doesn’t have to be 800-171. So it also helps us with really cross-organizational stakeholder identification and collaboration, making sure that we’re communicating effectively throughout the organization.

And really, part of that is that artifact discovery and production with artifacts, meaning this could be proof that or attestation, meaning that you’re doing something in support of a specific control requirement. So really, this helps us and it can help the client achieve have a full picture of the current state of their security program, as it relates to overall compliance and really reflected upon their desired framework for alignment.

Drew Wilcox: I’ll kind of rope that into a lot of the once our clients really understand where they’re sitting today on January 30th of the great year of 2024, you know, kind of outcomes from that as it surrounds 800.171, really any framework, as you know, really, a lot of document development. This can help clients, but we can assist with system security plans, which can be written up for basically any framework requirement that comes down the pipe, outlining kind of how the organization is meeting those requirements.

POA&Ms, we’ve mentioned those, your plan of action and milestones or corrective action plan, CAPS, however we want to add more acronyms, however we want to lay it out. You know, and in addition to that, you know, a POA&M and a corrective action plan is kind of pointing out those, you know, those missing items that need a little bit of love.

Chris mentioned our partnering tool, Hyperproof. You know, we can also kind of bring in Hyperproof and help folks build out a solid risk register, you know, so they can identify, assess and manage their risks more effectively. Completely automated process, which is awesome. It just promotes transparency. Right. And really being able to do, you know, let’s figure out where we are today. Let’s put these documents together so we have it in front of us.

Really, this kind of works in tandem with another goal of really helping clients understand their glaring holes within their environment, how they currently sit and kind of allows them to prioritize strategically, you know, based upon business requirements to align things that require immediate attention or future attention. I mean, ultimately increasing their security posture as we go, whether it be a three, six, nine, twelve month, you know, 18 month process and just road mapping that out.

Chris Abacon: Yeah, absolutely. And really piggybacking off that we’ve got, you know, after we’ve done all the documentation development, really we can dive into the remediation and really the program management of a client cybersecurity program. Really, if they’ve gotten any questions with implementing some of those POA&M items, so there’s going to be we’re going to have something we can help them with implementing some controls, right? It’s really dependent on the client’s level of maturity. There’s so many factors that can really dictate how an implement, how a control can be implemented.

And additionally, we do provide vCISO, program maturity and continuous monitoring and improvement to our clients. And really utilizing Hyperproof, leveraging that automation really makes it a lot more simple and streamlined.

Really, what makes us different really is the we like we embed ourselves intimately with our clients to fully understand decision makers, business risks and downstream impacts of security, security implementations, knowing really who the engineers, the analysts, the administrators are really establishing that mutual trust throughout. And then really ultimately enabling the process from a growth journey together as a team, achieving mutual interest goals.

Drew Wilcox: Solid points, Chris. It’s really funny. You know, we’ve mentioned GRC. Let’s add that as another acronym, right? Yeah, a lot of people like to like to joke that the GRC side of cybersecurity is all about Excel spreadsheets and checkboxes. But really, I think, you know, we don’t really look at this as a as a box-checking approach. You know, it’s more than just checking a box of requirements. It’s about ensuring that, you know, those we work with, our clients, our teammates, really external to us, a compliance point, you know, as cheesy as it may sound, can hit the Windows L button to lock their computer, close that lid on that thing and, you know, go home at night and know that everything that, you know, they are doing in tandem with us as a mutual team effort is ultimately fortifying them, their employees and their organization, you know, with a standard set forth by their leadership, obviously, of making sure that they’re doing their due diligence of maintaining a security posture to whatever level that that is that’s required upon them.

Jordan Eisner: Lock before you walk. That’s what they used to say. Or maybe still do. It’s virtual now, right? But you can’t trust your family.

Well, thank you, Drew. Thank you, Chris, for our listeners. If you’ve made it to this point, thank you for sticking through all the acronyms, all the background. I think it’s really insightful, really meaningful information. It’s a lot of information, but hopefully this is a channel of communicating that helps it be digested a little bit.

Right. So thank you for listening. And if you’re interested in more content like this, check us out. Compliancepoint.com, plenty of blogs, webinars, articles and other things on our website.

You can follow us on LinkedIn CompliancePoint. And I’m on LinkedIn. Drew’s on LinkedIn. Chris is on LinkedIn. So feel free to connect with us there. And if you’re enjoying the podcast, leave us a review. But until next time, thank you, everyone.