We published a risk-based approach to adopting the NIST SP 800-171 controls a few months ago, and received some great feedback from our readers. One of the biggest comments we heard was that, while the list itself was helpful, the fact that there are 110 controls to be analyzed is still overwhelming for many contractors. We’ve built a 5-phase approach to NIST SP 800-171 and CMMC 2.0 Level 2 compliance that we call the FAR and AboveTM program. You can download a copy via the link below.
We call it FAR and Above because we suggest that companies start with the basic cybersecurity requirements defined in the Federal Acquisition Regulations, or FAR, and then move to the remaining requirements. The FAR requirements (defined in FAR 52.204-21) are incorporated into every FAR-based contract, regardless of whether you are handling Controlled Unclassified Information or not. They are also the same requirements that appear in CMMC 2.0 Level 1.
A recent study showed that 78% of contractors are not currently in compliance with at least two (2) of the 15 basic cybersecurity requirements defined in the FAR. Every time a contractor signs a contract, and again every time they ask the government for payment, they are attesting that they currently meet all of these requirements. This creates a lot of risk for contractors, because if they are not in compliance, they could face a range of penalties including contract termination, False Claims Act liability, and even debarment. These basic requirements clearly present a lot of potential risk for contractors. Addressing these is an imperative for every organization doing business with the government, even those not doing business with the US Department of Defense.
Define the Scope
Identifying the software and hardware that stores, process, or transmits the government’s information, and the people who are authorized to access or use that software and hardware, is a critical first step to meeting your compliance obligations. Ensure you have a good picture for all of the devices, software, and people in your organization, and how the government’s information flows into, through, and out of your systems. For many organizations, the entire IT system will be “in scope” (i.e., will handle some form of government information). Some organization may find that it is advantageous to add partitions to their networks that help isolate the government information. The process for conducting a full scope evaluation is beyond the scope of this article (no pun intended). See the CMMC Scoping Guide for your organization’s desired/required CMMC Level for additional guidance.
Conduct a Gap Analysis
If you are familiar with the FAR requirements or CMMC Level 1, you’ll notice that in FAR and Above, we’ve reorganized the FAR requirements. In our conversations with contractors, we hear over and over how intimidating the Access Control requirements (i.e., FAR 52.204-21(b)(1)(i) through (iv)) can be, and we agree. That’s why we suggest starting with something more familiar, the physical protection/physical security requirements. That will help put you in the right mindset for conducting the gap analysis.
When you conduct your gap analysis, remember to do it not only against the requirements described in the FAR, but those in the corresponding controls in NIST SP 800-171A or the CMMC Assessment Guides. NIST SP 800-171A includes “objectives” that must be met to demonstrate that you are meeting a FAR requirement. If you meet all of the objectives, except for any that may not be applicable to your organization, then you can consider the requirement met as well. But if you miss even a single objective, then you have not met the requirement.
Repeat this process for each of the FAR requirements, and, when you’re done, you will have taken a major first step toward meeting your basic cybersecurity compliance obligations.
While it is possible to collect evidence that validates your assessment that you meet a requirement at this time, we don’t generally recommend it unless your organization already has a fairly mature cybersecurity program. Many organizations will identify multiple gaps in their cybersecurity programs as part of the gap analysis process, and we regularly see that, in remediating those gaps, the organizations make other changes that require them to collect new evidence for most of the requirements. As a result, it is typically more efficient to collect the evidence in a later pass. BUT DO NOT FORGET TO COLLECT EVIDENCE! If your organization is audited, this evidence is critical to helping you avoid liability if an auditor disagrees with your assessment.
Remediate any Gaps
The next step is to create a plan of action that describes how your organization will address each unmet requirement (i.e., each gap). The plan of action should include details such as the date by which each action item will be completed, the person accountable for ensuring it is completed, and a budget/cost projection.
Armed with the individual action items, the next step is to create projects and begin addressing the action items. Remember that, for the basic FAR requirements, these are things your organization is already telling the government you are successfully doing. If you identify gaps, you should prioritize their remediation to help reduce risk. You might also want to your attorney about whether you have any reporting requirements.
Don’t Forget to Maintain the Plans
Update the plans regularly to ensure they meet the current state of the organization’s program. For example, schedules can slip, and other factors (e.g., adding a new cloud-based service) can also impact your status. It is important to ensure that any pending actions represent your organization’s current approach, including timelines, budget, etc.
If your organization only needs to comply with the FAR requirements, once you are satisfied that you meet the basic FAR requirements, you should make another pass through the requirements and collect evidence that validates your assessment. You should collect evidence with an eye toward three basic questions:
- Who is accountable for ensuring the organization continues to be in compliance with the requirement (i.e., who should be interviewed if an audit/formal assessment is conducted)?
- What documents do we have that demonstrates our compliance (i.e., what can the assessor/auditor examine to validate that you were in compliance when your self-assessment was performed)?
- What software/hardware should be reviewed to demonstrate compliance (i.e., what can the assessor/auditor test to validate that you are currently meeting the requirements)?
NIST SP 800-171A and the CMMC Assessment Guides include suggested roles within the organization who could/should be interviewed, the kinds of documents that could/should be provided for review, and the kinds of testing that can be performed. If you are uncertain about what kind of evidence to collect, these are a great starting point.
If your organization handles Controlled Unclassified Information, you are expected to meet not only the basic FAR requirements, but also the additional 97 controls defined in NIST SP 800-171. FAR and Above breaks these 97 controls into 4 additional phases. These phases were chosen to try to balance prioritizing some of the more critical requirements (e.g., implementing multi-factor authentication) with trying to combine related requirements for efficiency purposes. We recommend repeating the gap analysis, remediation, and evidence collection steps for each of these phases.