Seven Items to Check Off Now If You’re a Defense Contractor

Seven Items to Check Off Now If You’re a Defense Contractor

Sometimes the hardest part of any process is knowing how to get started. In the case of complying with NIST SP 800-171r2 and ultimately CMMC, a lot of action items are rolling out for defense contractors. Which ones should be checked off the list first? What are the top priorities?

Here is a list of seven items that represent good starting points if you are beginning your journey toward NIST compliance and CMMC certification.

Confirm You Need to Comply

Even if the company you are contract manufacturing for tells you that you need to comply with NIST 800-171, it is okay to still confirm you really have to proceed. The best way to approach this is to ask what CUI (Controlled Unclassified Information) you will be processing or storing as part of the contract. If you will not be handling, processing, or storing CUI, you do not need to comply to the NIST 800-171 standard.

Make Sure You Understand the CMMC Levels

While the original CMMC 1.0 included five security levels, CMMC 2.0 will have three. Make sure you understand these clearly and understand at what level you will be operating. This will make a difference primarily in how you are assessed and who will be able to execute the assessments.

Determine Your Scope

Some companies may think that because they store or handle CUI, the whole company has to be in the scope for a NIST assessment. This is not the case. The part of the company that handles or stores CUI can be enclaved, reducing the size of the assessment and the time needed to complete it. If you are not sure how you should set your scope, it is a good idea to invest in a consultant or speak to our experts contact us.

Find a Good Consultant

When selecting a consultant, it is important to make sure the company or person selected is knowledgeable about NIST 800-171 and CMMC. However, it is also important they have the ability to help prepare you for your assessment. One of the best sources for finding credible consultants is the C3PAO marketplace. 

Work on Your SSP and POAMs

Don’t worry if you can’t remember what these acronyms stand for. You can learn more about SSP and POAMs on our website. Even before you begin the assessment process, it is important to understand where potential weaknesses are in your cybersecurity system. Following that, creating a Plan of Actions and Milestones helps keep the company organized and moving forward.

The Gap Analysis

After you have gotten your company to a point where you think you may be assessment-ready, it is a good idea to conduct a gap analysis to see where there may be shortcomings. Again, a consultant is a great guide for this kind of exercise. Just know they are not able to then conduct the final assessment for your organization. We can also conduct your gap assessment but we would not then be able to implement your official assessment.

Document Everything and Meet Assessment Objectives

Complying with the 110 controls of NIST SP 800-171r2 is only part of the process. Complying with the 110 controls of NIST SP 800-171r2 is only part of the process. Make sure you have documented every new procedure and policy. Also make sure to look not just at NIST 800-171 but also at NIST 800-171a, where the bar of compliance is defined. An assessor should be able to ask for documentation for any control and access it quickly.

Still Need Help Getting Started?

Undertaking a compliance journey of any kind is a big step for a company. Federal regulations are detailed and rigorous, and the stakes for your organization are high. If you want to talk to us about your current status regarding NIST compliance or have questions, contact us today.

Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources