When preparing for NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) Compliance, taking the guesswork out of your organization’s preparedness is a must and can prevent hefty penalties.
Below we’ll discuss what you can expect from SSE’s NIST 800-171 and CMMC Gap Assessment process and what you can do to prepare for your certification audit.
What is a Gap Assessment?
SSE’s NIST 800-171 and CMMC Level 2 Gap Assessment is a detailed evidence collection, assessment and analysis of a company’s existing environment and its readiness state for an audit or assessment submission.
The output is the identification and documentation of all gaps in the form of a complete Security Assessment Report (SAR) that includes the following deliverables:
- A NIST 800-171 Basic Assessment and Scoring
- Detailed Compliance Matrix for both NIST 800-171 and CMMC
- Security Findings Traceability Matrix – information for an SSP
- Plans of Action and Milestones (POAMs) for unmet requirements
With the completion of the Gap Assessment, SSE would be able to recommend potential and customized remediation solutions as needed to assist your organization in meeting compliance.
How long does a CMMC Gap Assessment take?
Several factors affect the time to perform a CMMC Gap Assessment, including your company environment, the number of active directory domains, locations, the availability of resources and input, and your current security posture.
However, it is typically a four-week engagement, requiring granular evidence collection and review of the following:
- Verification against all 110 NIST 800-171 and CMMC 2.0 Level 2 practices
- Review and verification of existing IT tools
- Review of any existing System Security Plan (SSP)
- Review of any existing Plans of Action and Milestones (POAMs)
- Review of any existing policies/procedures and physical security practices
Why is NIST 800-171 and Gap Assessment important?
A NIST 800-171 and CMMC Gap Assessment is critical in the compliance process, helping you understand which security controls need adjusting or adopting to meet compliance requirements.
A Gap Assessment can uncover weak spots in your organization’s security practices, such as:
- Weak access controls
- Improper data storage or backup controls
- Insufficient cybersecurity awareness training for employees
- Incomplete incident response plan
- Unsecured storage for data records
- Insufficient network segmentation
- Insufficient policy and procedure documentation around all of the above.
What to expect during a CMMC Gap Assessment?
During the Gap Assessment, which SSE can conduct onsite, remotely, or both, organizations should expect the following:
- Review of existing policies or procedures within the organization.
- Access control
- Password policy
- Incident response procedures
- Awareness training
- Review of documentation practices within the organization. This portion includes, but is not limited to, reviewing your company’s documentation process that requires handling CUI.
- Inventory management
- Access restrictions
- Document marking
- Review of physical security practices. This portion includes, but is not limited to, reviewing your company’s physical security practices that require handling CUI.
- Data storage devices
- Storage rooms
- Review of information systems inside determined boundaries. This portion includes, but is not limited to, reviewing your company’s IT systems that operate within the scope or boundaries that require handling CUI.
- Once all evidence has been collected, SSE will audit and document gaps against NIST 800-171 controls and CMMC practices in a Security Assessment Report or SAR.
Next Steps After a NIST 800-171 and CMMC Gap Assessment
Following a Gap Assessment, you’ll know exactly where your organization stands on NIST 800-171 and CMMC compliance. Also, you’ll have the documentation needed to support a NIST 800-171 basic assessment score and submission to the DoD’s Supplier Performance Risk System (SPRS).
SSE can then assist with recommendations and solutions to assist with the remediation of gaps, or we can do it for you!
When You’re On the Road to Compliance, Let SSE Be Your Guide
No matter where you are on the road to compliance, SSE has the expertise to help your organization become compliant. SSE has been accredited by The CYBER AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO). Our team is up to speed on the latest changes and upcoming CMMC implementation.
If you are still determining where you are in the process, contact our team for an initial consultation to discuss how our NIST 800-171 and CMMC Gap Assessment could help your 2023 planning.
Need to Meet CMMC Compliance?
Schedule Your CMMC Readiness Assessment
Fill out the form below to start the process
"*" indicates required fields
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.