Identify Information Systems that store, process, or transmit Federal Contract Information
3
Perform a comprehensive inventory of data, applications, and hardware
4
Categorize the information system
5
Approval: Information System Categorization
6
Select baseline security controls from NIST SP 800-53
7
Implement the security controls
8
Assess the security controls effectiveness
9
Approval: Security Controls Effectiveness
10
Develop Plan of Action and Milestones (POAM) based on assessment findings
11
Implement action plan to remediate compliance gaps
12
Monitor the security controls on a continuous basis
13
Document system changes and reassess security controls
14
Perform annual system review
15
Approval: Annual System Review
16
Update the System Security Plan (SSP) as required
17
Prepare for independent audit of the compliance program
18
Review audit findings and develop a remediation plan
19
Approval: Audit Findings and Remediation Plan
20
Implement the remediation plan to address any compliance deficiencies
Establish a team responsible for NIST compliance
Assign a team to be responsible for ensuring compliance with the NIST SP 800-171 guidelines. This team will play a crucial role in implementing and maintaining the necessary security controls to protect Federal Contract Information (FCI). They will be responsible for coordinating with relevant stakeholders, conducting regular assessments, and making sure that all compliance requirements are met.
Identify Information Systems that store, process, or transmit Federal Contract Information
Determine the Information Systems within your organization that handle Federal Contract Information (FCI). Identify all the systems that store, process, or transmit FCI to ensure that they are included in the scope of NIST SP 800-171 compliance efforts. This task is critical to understanding the overall landscape and potential risks associated with FCI.
Perform a comprehensive inventory of data, applications, and hardware
Conduct a thorough inventory of all data, applications, and hardware assets related to the Information Systems identified in the previous task. This inventory will provide a detailed understanding of the assets that require protection and will help in establishing a baseline for security control implementation.
1
Data
2
Applications
3
Hardware
Categorize the information system
Categorize each Information System based on its potential impact on the confidentiality, integrity, and availability of Federal Contract Information (FCI). This categorization will help in determining the appropriate set of security controls and their implementation requirements.
1
Low
2
Moderate
3
High
Approval: Information System Categorization
Will be submitted for approval:
Categorize the information system
Will be submitted
Select baseline security controls from NIST SP 800-53
Choose the baseline security controls from the NIST SP 800-53 publication that are applicable to the categorized Information Systems. Consider the impact of FCI and select the controls that provide adequate protection. The chosen controls will form the foundation for the overall security posture of the organization.
1
Access Control
2
Audit and Accountability
3
Configuration Management
4
Identification and Authentication
5
Incident Response
Implement the security controls
Implement the selected security controls to ensure the necessary safeguards are in place to protect Federal Contract Information (FCI). Assign responsible parties for each control and establish a clear timeline for implementation. Regularly review progress to identify any challenges and address them promptly.
1
Control 1
2
Control 2
3
Control 3
4
Control 4
5
Control 5
Assess the security controls effectiveness
Evaluate the effectiveness of the implemented security controls by performing assessments. Identify any gaps or weaknesses and document them for further analysis. Use this assessment to ensure that the implemented controls are aligned with the desired security objectives specified by NIST SP 800-171.
Approval: Security Controls Effectiveness
Will be submitted for approval:
Implement the security controls
Will be submitted
Develop Plan of Action and Milestones (POAM) based on assessment findings
Based on the assessment findings, create a Plan of Action and Milestones (POAM) that outlines the necessary steps to address identified security control gaps. The POAM should include specific actions, responsible parties, target completion dates, and resource requirements. This plan will serve as a roadmap for remediation efforts.
Implement action plan to remediate compliance gaps
Execute the action plan outlined in the POAM to address the identified compliance gaps. Allocate necessary resources, engage responsible parties, and ensure that the remediation efforts are properly documented. Monitor the progress closely to stay on track and achieve the desired compliance objectives.
1
Step 1
2
Step 2
3
Step 3
4
Step 4
5
Step 5
Monitor the security controls on a continuous basis
Establish a process for ongoing monitoring of the implemented security controls. Regularly review the effectiveness and adequacy of controls to identify any changes or issues that may impact compliance. This continuous monitoring ensures that the security posture remains aligned with the evolving threat landscape and compliance requirements.
Document system changes and reassess security controls
Document any changes or updates made to the Information Systems and reassess the effectiveness of the implemented security controls. Evaluate whether the changes introduce new risks or require adjustments to the existing controls. It is essential to maintain an accurate record of system changes to ensure compliance and facilitate future assessments.
Perform annual system review
Conduct an annual review of the Information Systems and associated security controls to validate their ongoing effectiveness. Assess whether the controls are still aligned with NIST SP 800-171 requirements and adjust them as necessary. This review helps in identifying any emerging vulnerabilities or changes in the threat landscape.
Approval: Annual System Review
Will be submitted for approval:
Monitor the security controls on a continuous basis
Will be submitted
Update the System Security Plan (SSP) as required
Update the System Security Plan (SSP) based on any changes made to the Information Systems or security controls. The SSP serves as the comprehensive documentation of the security controls and their implementation details. Ensure that the SSP accurately reflects the current state of the systems and adheres to the NIST SP 800-171 requirements.
Prepare for independent audit of the compliance program
Prepare the necessary documentation and evidence to undergo an independent audit of the compliance program. Ensure that all relevant records, reports, and certifications are readily available and organized. Thoroughly review the compliance program to identify any potential gaps or weaknesses before the audit takes place.
Review audit findings and develop a remediation plan
Review the findings from the independent audit and assess any identified compliance deficiencies. Determine the impact of these deficiencies and develop a remediation plan to address them promptly. Consider the severity of each deficiency and allocate resources accordingly to ensure effective resolution.
Approval: Audit Findings and Remediation Plan
Will be submitted for approval:
Prepare for independent audit of the compliance program
Will be submitted
Implement the remediation plan to address any compliance deficiencies
Execute the remediation plan developed in the previous task to resolve the identified compliance deficiencies. Allocate necessary resources, engage responsible parties, and monitor the progress closely to ensure timely and effective resolution. Document the steps taken and the outcomes achieved as part of the remediation efforts.