Solution Spotlight: NIST 800-171 Preparation

Organizations should conduct an internal audit of their Controlled Unclassified Information (CUI) posture. This audit can be facilitated by a third party like Hightower Consulting or by utilizing internal cybersecurity staff. NIST provides a detailed document outlining the specific controls necessary for government engagement.

Throughout this process, organizations must document the controls they currently adhere to and identify those requiring action to achieve compliance.

After concluding the internal audit, organizations embark on implementing or improving solutions to address the identified gaps in controls.

Throughout this phase, organizations often find that certain platforms, tools, or processes no longer meet the updated requirements and opt to introduce new solutions accordingly.

It's essential to maintain a dynamic audit document that reflects the modifications made to existing controls and the addition of new controls to ensure comprehensive coverage.

Throughout the self-audit and implementation of new controls, organizations should diligently document the evidence for each control. This involves compiling the necessary documentation and organizing it into a structured format that references each control appropriately.

Organizations will collaborate with their DoD contract provider to initiate the verification process. The contract provider will then schedule a thorough review of the audit with a designated DoD resource. This review aims to assess whether all controls outlined in the NIST 800-171 framework are being effectively met by the organization.

The DoD resource tasked with reviewing the documented controls will assess whether further information is necessary or if any controls were not adequately fulfilled.

In the event of an unsuccessful initial review, the organization will be required to devise a comprehensive remediation plan. Subsequently, the organization's progress will undergo a subsequent review at a later date.