When it comes to cybersecurity compliance, and especially compliance with the US Department of Defense’s cybersecurity requirements (i.e., those in NIST SP 800-171 and CMMC), many government contractors are still trying to figure out how to get started. Some are willing to hire outside experts to help with the entire process because it allows the contractors to focus on their core business. While this approach is viable for some contractors, the idea of investing thousands, and even tens of thousands, of dollars in consulting fees to do things that the contractors could do themselves is simply a non-starter. They are willing to invest the money where it is appropriate, but if they can save money, and even learn more about their company’s cybersecurity risks and obligations along the way, then that’s their preferred approach.
Unfortunately, understanding which requirements can, and even should, be done by the contractor requires that the contractor first read and understand all of the requirements. And when most open NIST SP 800-171A, the “assessment guide” for NIST SP 800-171 and the basis for the CMMC 2.0 Assessment Guide, they start by reading the requirements for 3.1.1, one of the more confusingly-worded requirements in all of 800-171. So the contractors stop reading, and put off their compliance efforts for another day.
We empathize with those contractors. That is why we have updated our free Self-Assessment Tool to include recommendations for whether a contractor can/should try to do a particular requirement or objective themselves or whether they should hire an outside expert to help.
In making our recommendations, we assume that if the contractor is even considering doing some of the work themselves, that they have already done some basic IT work before. For example, we assume that they are familiar with how to login to Microsoft 365 (or their local Windows Server) and can navigate the admin interface well enough to add/remove users and that they can change password requirements. At the same time, we assume that adding mobile device management and other capabilities to their environment will probably be beyond their ability (or, more correctly, that we’re approaching diminishing returns on the time they would spend trying to do it themselves vs the cost of hiring an expert).
While the recommendations may not be perfect for everyone, we hope that they are helpful in at least helping contractors get a sense for whether their understanding of a requirement, and the level of knowledge necessary to implement it, is likely to be accurate.