NIST SP 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Compliance Services
If you are a non-federal organization that operates and maintains systems storing, processing or transmitting Controlled Unclassified Information (CUI), the federal government’s security requirements outlined in the National Institute of Standards and Technology — NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations — affects you. Failure to comply may affect new and current federal and Department of Defense (DoD) contracts.
As your expert security partner, FRSecure can provide you with the necessary assessment and consulting services to meet the NIST SP 800-171 and DFARS security requirements. FRSecure offers two gap analysis options to help determine how close your organization and current information security program are to meeting these federal requirements.
Option 1 Full FISA with Gap Analysis
Our Full Information Security Assessment (FISA) leverages and references current security frameworks and standards found in ISO/IEC 27001:2013 and the NIST Cybersecurity Framework (CSF), both of which map to the NIST SP 800-171 security requirements.
The four phases of a FISA are:
- Phase 1:Administrative Controls The people part of security, including risk management, security governance, policies, standards, training and employee awareness.
- Phase 2:Physical Controls How much does your anti-virus protection mean to you if someone steals your server? Physical controls are an essential and often overlooked part of your security strategy.
- Phase 3: Technical Controls (Internal) We affectionately call this the gooey center. Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometime neglect the controls that are essential for an effective defense-in-depth strategy.
- Phase 4:Technical Controls (External) This category covers how effective your organization is at keeping the bad guys out of your network.
The FISA assessment is comprehensive. From that, FRSecure will map the relevant NIST controls and provide a gap analysis.
Your organization will receive all our standard FISA deliverables, which includes the executive summary, the full report and the action plan. You will also receive an additional report that will map the FISA result to the NIST 800-171 controls. The gap analysis and the FISA action plan can be used to build your remediation plan. This option provides both an overall security assessment against industry best practices and the information needed to begin addressing gaps in your CUI protection measures.
Option 2 Gap Analysis
Your other option is a more narrowly scoped assessment of how well your Information Security Program meets the security requirements outlined in the NIST 800-171 controls. Your organization will receive a report displaying each control and your level of compliance with that control. While this option will get you a final gap analysis to build your remediation plan from, it does not assess your full information security program against industry best practices.
With a completed NIST SP 800-171 gap analysis FRSecure can help your organization develop a System Security Plan (SSP), Plan of Action & Milestones (POA&M) and help remediate gaps in policy, process and/or training. Our expert team has proven experience in establishing effective, measurable and enforceable organizational controls in support of DoD, federal, financial and healthcare compliance frameworks.
Learn more about other FISMA services offered by FRSecure.