Maintain Detailed Documentation of Compliance Efforts
12
Monitor and Manage a System Inventory
13
Approval: System Inventory
14
Perform Continuous Monitoring and Auditing
15
Respond to Secure Failures or Breaches
16
Prepare for Independent Eye Review
17
Approval: Preparation for Independent Review
18
Get Certification of Compliance
19
Plan and Implement Changes
Identify and Categorize Information Systems
In this task, you will identify and categorize all information systems within your organization. This includes computers, servers, databases, and any other systems that store or process sensitive information. By categorizing these systems, you can prioritize your compliance efforts and ensure that the most critical systems receive the necessary security controls. The desired result is a comprehensive list of all information systems and their corresponding categories. To complete this task, you will need knowledge of your organization's infrastructure and access to network diagrams or asset registers. If you encounter challenges in identifying certain systems, reach out to the relevant department or IT personnel for assistance.
1
Highly Sensitive
2
Sensitive
3
Public
Map In-Scope Systems and Information
This task involves mapping the in-scope systems and information identified in the previous task. You will create a visual representation or document that shows the relationships between systems and the flow of sensitive information. The map will help you understand the scope of your compliance efforts and identify potential vulnerabilities or risks. The desired result is an accurate and up-to-date map of in-scope systems and the flow of sensitive information. To complete this task, use diagramming tools or document management systems that can handle visual representations. If you face difficulties in mapping certain systems or information, collaborate with relevant stakeholders or subject matter experts.
Implement Security Controls
This task involves implementing security controls for the identified and categorized information systems. Security controls include measures such as access controls, encryption, monitoring, and incident response procedures. By implementing these controls, you can protect sensitive information from unauthorized access or disclosure. The desired result is a secure environment with appropriate controls in place. To complete this task, you will need access to system configurations, security software, and relevant security procedures. If you encounter challenges in implementing certain controls, consult with IT or security experts for guidance or alternative solutions.
1
Access Control
2
Encryption
3
Monitoring
4
Incident Response
1
Configure user access rights
2
Encrypt sensitive data at rest and in transit
3
Implement monitoring tools
4
Establish incident response procedures
Approval: Security Controls Implementation
Will be submitted for approval:
Implement Security Controls
Will be submitted
Set Policies and Procedures
In this task, you will establish policies and procedures that guide the secure handling of sensitive information. These policies define acceptable use, access control, incident response, and other security-related practices. Procedures provide step-by-step instructions for implementing the policies. The desired result is a documented set of policies and procedures that align with NIST guidelines. To complete this task, you will need to review existing policies, consult with legal or compliance teams if necessary, and document the policies and procedures in a suitable format. If you face challenges in setting specific policies or procedures, seek input from relevant stakeholders or subject matter experts.
Train All End-Users and Staff
This task involves providing training to all end-users and staff members on the policies and procedures established in the previous task. Training ensures that everyone understands their responsibilities and knows how to handle sensitive information securely. The desired result is a well-informed workforce that follows the established policies and procedures. To complete this task, develop training materials, conduct training sessions or workshops, and track attendance or completion of training. If you encounter challenges in training certain groups or individuals, consider adapting the training material or providing additional support and resources.
Approval: Training Completion
Will be submitted for approval:
Train All End-Users and Staff
Will be submitted
Establish and Manage Incident Response Plan
In this task, you will establish an incident response plan to address potential security incidents or breaches. The plan outlines the steps to be taken when an incident occurs, including reporting, containment, and recovery procedures. By having a well-defined incident response plan, you can minimize the impact of security incidents and ensure a swift and effective response. The desired result is a documented and regularly updated incident response plan. To complete this task, collaborate with IT, security teams, and other relevant stakeholders to identify potential incidents and develop appropriate response procedures. If you face challenges in establishing the plan, seek guidance from incident response experts or refer to industry best practices.
Configure Online Systems to NIST Guidelines
This task involves configuring online systems and applications to align with NIST guidelines. NIST provides specific recommendations for secure configurations and settings. By following these guidelines, you can reduce the risk of security incidents and ensure compliance. The desired result is online systems and applications that meet NIST's security recommendations. To complete this task, review the NIST guidelines, assess and adjust the configurations of online systems, and document the changes made. If you encounter challenges in configuring certain systems or applications, consult with IT or security experts for assistance or alternative solutions.
1
Email System
2
Web Application
3
Cloud Storage
1
Enable two-factor authentication
2
Encrypt data in transit
3
Disable unnecessary services
Carry out the Security Assessment Plan
In this task, you will conduct a security assessment to evaluate the effectiveness of implemented security controls and ensure compliance with NIST requirements. The assessment may include vulnerability scans, penetration testing, and review of security logs. The desired result is a comprehensive assessment report highlighting any vulnerabilities or weaknesses in the security controls. To complete this task, utilize security assessment tools, schedule assessments, conduct tests, and document the findings. If you face challenges in conducting certain assessments, consider engaging third-party security professionals or seeking guidance from experts in the field.
1
Vulnerability Scan
2
Penetration Test
3
Log Review
1
Scan all in-scope systems for vulnerabilities
2
Perform targeted attacks to identify potential weaknesses
3
Review security logs for suspicious activities
Maintain Detailed Documentation of Compliance Efforts
This task involves creating and maintaining detailed documentation of all compliance efforts. Documentation ensures transparency and provides evidence of compliance with NIST 800-171. The desired result is a comprehensive and up-to-date documentation set that covers all compliance activities, assessments, and remediation actions. To complete this task, establish a document management system, assign responsibility for documentation tasks, regularly update the documentation, and ensure proper version control. If you encounter challenges in documenting specific activities, consider leveraging documentation templates or seeking assistance from compliance or legal teams.
Monitor and Manage a System Inventory
In this task, you will establish and maintain a system inventory to track all in-scope systems and their configurations. The inventory provides visibility into your system landscape and helps ensure that all systems receive appropriate security controls and updates. The desired result is an accurate and up-to-date system inventory. To complete this task, create a system inventory template or use an existing system management tool, enter relevant system information, and regularly update the inventory. If you face challenges in identifying certain systems or tracking their configurations, collaborate with IT or security teams for assistance or consider deploying automated inventory management solutions.
Approval: System Inventory
Will be submitted for approval:
Monitor and Manage a System Inventory
Will be submitted
Perform Continuous Monitoring and Auditing
This task involves continuously monitoring and auditing the effectiveness of implemented security controls and compliance efforts. Monitoring helps identify potential security incidents or weaknesses, while auditing ensures ongoing adherence to NIST 800-171 requirements. The desired result is a proactive security posture and a maintained state of compliance. To complete this task, utilize monitoring and auditing tools, establish monitoring schedules, conduct regular audits, and document findings. If you encounter challenges in implementing effective monitoring or auditing practices, consult with experts in the field or consider outsourcing these activities to specialized service providers.
1
Log Monitoring
2
Access Review
3
Compliance Audit
1
Monitor security logs for anomalies
2
Periodically review user access rights
3
Conduct compliance audits based on NIST 800-171 requirements
Respond to Secure Failures or Breaches
In this task, you will establish procedures for responding to security failures or breaches promptly. These procedures ensure that incidents are addressed in a timely and effective manner, minimizing the impact on systems and data. The desired result is a documented and practiced incident response process. To complete this task, collaborate with IT and security teams, develop incident response procedures, and communicate the procedures to relevant personnel. If you encounter challenges in establishing specific response procedures, seek guidance from incident response experts or refer to industry best practices.
Prepare for Independent Eye Review
This task involves preparing for an independent eye review, where an external auditor or reviewer assesses your compliance with NIST 800-171 requirements. Preparation includes gathering relevant documentation, addressing any identified gaps, and ensuring that all necessary information is readily accessible. The desired result is a well-prepared and successful independent eye review. To complete this task, review the NIST 800-171 requirements, gather compliance documentation, address any identified gaps or weaknesses, and communicate with the external auditor or reviewer. If you face challenges in preparing for the review, consider seeking guidance from compliance or legal teams or engage external consultants with expertise in NIST compliance.
Approval: Preparation for Independent Review
Will be submitted for approval:
Perform Continuous Monitoring and Auditing
Will be submitted
Get Certification of Compliance
In this task, you will obtain a certification of compliance to verify that your organization meets the NIST 800-171 requirements. Certification demonstrates to customers and stakeholders that your organization has implemented appropriate security controls and safeguards for sensitive information. The desired result is a valid certification of compliance. To complete this task, engage with a recognized certification body, submit necessary documentation and evidence, and undergo an audit or assessment. If you encounter challenges in obtaining the certification, seek assistance from compliance experts or refer to industry-specific certification guidelines.
Plan and Implement Changes
This task involves planning and implementing any necessary changes or improvements identified through compliance efforts or external audits. Changes may include security control enhancements, system updates, or process improvements. The desired result is an enhanced security posture and ongoing compliance with NIST 800-171. To complete this task, establish a change management process, assess proposed changes, develop implementation plans, and execute the changes. If you face challenges in planning or implementing specific changes, consult with IT, security, or compliance teams for guidance or consider piloting changes before full implementation.