New! NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
What steps do you need to take before CMMC is mandated?
Sometimes the hardest part of any process is knowing how to get started. In the case of complying with CMMC, a lot of action items are rolling out for defense contractors. Which ones should be checked off the list first? What are the top priorities?
Here is a list of seven items that represent good starting points if you are beginning your journey CMMC certification.
Do you need to be CMMC-certified?
The best way to approach this is to ask what CUI (Controlled Unclassified Information) you will be processing, transmitting, or storing as part of the contract. If your contract does not include the receipt of CUI you do not have to worry about CMMC.
Do you understand the CMMC levels?
While the original CMMC 1.0 included five security levels, CMMC 2.0 has three. Make sure you understand these clearly and understand at what level you will be operating. This will make a difference primarily in how you are assessed and who will be able to execute the assessments.
What will your scope be?
Some companies may think that because they store or handle CUI, the whole company has to be in the scope for a CMMC assessment. This is not the case. The part of the company that handles or stores CUI can be enclaved, reducing the size of the assessment and the time needed to complete it. If you are not sure how you should set your scope, it is a good idea to invest in a consultant or speak to our experts contact us.
Do you need a consultant?
When selecting a consultant, it is important to make sure the company or person selected is knowledgeable about CMMC. However, it is also important they have the ability to help prepare you for your assessment. Rememer, your assessor organization cannot serve as your consultant.
Is your SSP ready? What about POAMs?
Don’t worry if you can’t remember what these acronyms stand for. You can learn more about SSP and POAMs on our website. Even before you begin the assessment process, it is important to understand where potential weaknesses are in your cybersecurity system. Following that, creating a Plan of Actions and Milestones helps keep the company organized and moving forward.
Should you invest in a pre-assessment?
After you have gotten your company to a point where you think you may be assessment-ready, it is a good idea to conduct a pre-assessment analysis to see where there may be shortcomings. Again, a consultant is a great guide for this kind of exercise. Just know they are not able to then conduct the final assessment for your organization.
Have you looked at the NIST SP 800-171r2 assessment objectives?
Complying with the 110 controls of NIST SP 800-171r2 is only part of the process. Make sure you have documented every new procedure and policy. Also make sure to look not just at NIST 800-171 but also at NIST 800-171a, where the bar of compliance is defined. An assessor should be able to ask for documentation for any control and access it quickly.
Still Need Help Getting Started?
Undertaking a compliance journey of any kind is a big step for a company. Federal regulations are detailed and rigorous, and the stakes for your organization are high. If you want to talk to us about your current status regarding NIST compliance or have questions, contact us today.
About Smithers
Founded in 1925 and headquartered in Akron, Ohio, Smithers is a multinational provider of testing, consulting, information, and compliance services. With laboratories and operations in North America, Europe, and Asia, Smithers supports customers in the transportation, life science, packaging, materials, components, consumer, cannabis, dry commodities, and energy industries. Smithers delivers accurate data, on time, with high touch, by integrating science, technology, and business expertise, so customers can innovate with confidence. Smithers is an authorized C3PAO and can be found on the CyberAB Marketplace.
