NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
Smithers knows manufacturers well. We know that the daily routine includes making sure your customers are getting what they need, when they need it, and how they need it. We know the demands of trying to live up to ISO 9001, LEAN Manufacturing, or Six Sigma standards. We know manufacturers, like all business owners, are worried about providing strong health benefits to workers, recruiting skilled workers, and more. You have plenty on your plate. So, what steps can you take towards complying with NIST 800-171r2 now when CMMC rulemaking is not even complete yet?
The most important thing to know about compliance with NIST security controls is that while it is entirely possible, it takes some time. On average, small to mid-sized businesses need around six months to a year to get everything checked off the list. That means that if CMMC becomes a rule in October or November, companies are already going to be on a very tight timeline. Why do you need a fair amount of time to become compliant with NIST 800-171r2? Here are five reasons to start now.
Like so many documents in the business world, understanding everything NIST 800-171 is saying can take some time. Understanding the controls versus the assessment objectives is important not to mention understanding what needs to be done. Having the time to review and digest the controls will lead to more efficiency and effectiveness in the long run. The more this first step is rushed, the more likely mistakes might be later.
Just like rushing through reading the documentation can lead to problems, rushing to select partners on your compliance journey can also result in delays and difficulties. Whether you will need an external service provider (ESP), a consultant, or if you are just considering who you will select for your third-party assessor (C3PAO) once CMMC is in effect, you will want to make sure you select organizations and people that match well with your company and that know what they are doing.
If you are not compliant with NIST 800-171 now, your company will have to make some technological changes. Your scope will determine how wide-ranging these changes will need to be (be sure to check out a webinar coming up on this topic very soon). The way you process, store, and transmit Controlled Unclassified Information (CUI) will certainly need to change to achieve compliance. Determining processes, documenting those processes, and then implementation all takes time and, again, should not be rushed.
Anyone who was responsible for policies during the COVID-19 pandemic knows that creating policies is an intricate process. Companies that have already achieved ISO 9001 or AS9100 certifications have an advantage in understanding how their companies proceed with developing new protocols and policies, but even in those cases, creating new company-wide policies around CUI will not be a one-day “one and done” process. There needs to be time for all of the right contributors to be in the room.
Finally, there is the part that is out of your direct control. Once CMMC becomes a final rule, the demand for third-party assessments is going to be significant. Already some C3PAOs are seeing the schedules filled with Joint Surveillance Assessments (these are conducted along with DIBCAC). The sooner you are able to meet NIST compliance, the sooner you will be ready for your third-party assessment and CMMC. By selecting Smithers as your C3PAO, we can offer you can secure priority on our schedule. Contact us today to learn more.
In reality, investing time in NIST compliance now is an investment in the future of yourself and your company. The stress that can result from waiting on NIST compliance is significant because:
These are all easily avoidable if you start your compliance journey now. Talk to us today about where your organization is and where you want to go.