Although NIST 800-171 has been around for several years, many business leaders still aren’t certain whether they are doing the right things to be compliant. One of the areas of confusion is what to expect from a NIST 800-171 Gap Analysis.
In this article, we’ll walk you through the steps of a gap analysis, so you’ll know exactly what to expect.
We handle the IT needs of companies of all sizes, including those that are contractors, subcontractors, or suppliers for the U.S. government. We’ve helped organizations just like yours through NIST 800-171 certification, so we know the steps involved.
After reading through this article, you’ll have a better understanding of what a gap analysis is, the steps involved, and how to work through them.
What Is NIST SP 800-171?
More than 10 years ago, the National Institute of Standards and Technology (NIST) issued a special publication (known as NIST 800-171 or NIST SP 800-171). This publication provides a framework for protecting controlled unclassified information (CUI).
Part of this framework requires a gap analysis.
What Is A Gap Analysis?
Before we get into the process, deliverables, and outcomes, let’s define what we’re talking about.
In business jargon, a gap analysis is a structured comparison of the current state of business attributes to the desired state of those same attributes.
What Is A NIST 800-171 Gap Analysis?
A NIST gap analysis will compare your current security safeguards (cyber, physical, etc.) with the ideal controls (practices) listed in the NIST documentation.
Based on the weakness identified in the gap analysis, you’ll develop a program of action & milestones (POAM) that will show a path forward to full NIST 800-171 compliance.
Related Article: What are the first steps for NIST 800-171 POAM SPRS submission.
Specific Considerations For A NIST Gap Analysis
We have defined our NIST gap analysis. But what does it mean in practice? Let’s put a couple of assumptions in place to frame this correctly.
As a government contractor, subcontractor, or supplier, IT and cybersecurity are likely not your primary work function. Your business likely does something for, produces something for, or finishes something for the DoD.
To do that work, you receive certain kinds of physical, technical, or administrative information. As such, you need to operate in a manner consistent with these controls.
Becoming compliant with NIST 800-171 will allow you to retain your current contracts and ensure you can continue competing for future opportunities.
Whether you tackle this internally or work with an external consultant, here’s what the gap analysis process will likely entail:
Step 1: Interviews & Questions
Prepare to have conversations with your team about the controls or questions that need to be answered. Best practice is to have several conversations over a designated period. There are a lot of them and it’s not productive to attempt to plow through them all at once.
Try to provide the team with all of the questions before you even schedule the first meeting to discuss them, so they will have time to research the data needed, align the right resources, and be comfortable with the subject matter.
What To Expect
Interview sessions work best when limited in scope (no more than two hours). Expect to repeat these sessions at least two or three times after the initial session depending on how things go and how much is covered in each.
Often additional Q&A takes place during these meetings. It's imperative to keep a flexible mind about the total duration and commitment of time.
Your team must come away with a good understanding of your current state and knowledge of the gaps along the way.
Step 2: NIST Scoring
Once all the interviews are done and questions answered, compile the controls and notes for each session. You’ll then have your resulting score for the gap analysis.
This is one of the components of the data needed to upload into the Supplier Performance Risk System (SPRS).
Your Score
What’s important to understand for this specific process and the NIST controls is that the scoring is a reductive measure, not additive.
That means that when a control is missing or not fully implemented, a number of points (1,3,5) are reduced from the overall score. This differs from the typical idea of “adding up” all the correct answers and totaling for a score.
This means that it’s possible to get a negative score on the gap analysis.
Don’t let that distract you from staying the course.
The intent of this process is not to “score” well but to perform the gap analysis and start the process of working towards a score of 110.
The actual score you enter into SPRS is not a measurement of success, but rather just a piece of data that indicates current state.
Step 3: Developing A Plan of Action & Milestones (POAM)
After the score is calculated, the next step in the process is to develop a Plan of Action & Milestones or POAM.
This is essentially a high-level project plan with the basics of what is missing, a general plan of action, and when to expect achievement.
This slimmed-down plan doesn't include many of the details of a full-fledged project plan. However, it provides general guidance for your team and demonstrates your commitment to resolving the present gaps in the current security framework of your business.
The POAM is another piece of data that is uploaded into the SPRS.
Prioritize the controls that need to be addressed, based on how much of the NIST framework each can remedy along with budget, resources, and timelines.
As you review this, you will get a better understanding of the work ahead. It will also become clear whether you have the resources in house or will need to collaborate with an external provider to achieve compliance.
Step 4: Developing your System Security Plan
The next piece of data in the NIST gap analysis process is the System Security Plan or SSP. This is a living document and may be sparse at first depending on the current state of your cybersecurity controls.
Over time the SSP will grow to include all the policies, practices and references to change management that relate to physical and IT security controls.
Step 5: Determining Completion Date
The remaining piece of data needed for SPRS is the “completion date.”
In the same way that the score is less about the numeric value and more about the focus to improve to achieve a score of 110, the completion date is a realistic date by which your team will achieve complete compliance with all the NIST 800-171 controls.
That target date is a waypoint toward compliance with other frameworks like the DoD Cybersecurity Maturity Model Certification (CMMC).
Step 6: Improving Cybersecurity Following Gap Analysis
With the four pieces of data in hand (score, POAM, SSP, and completion date), you’ve now completed the gap analysis process. You’re ready to start on the journey of improving your cybersecurity hygiene and systems.
While there is a commitment of time, energy, and resources throughout the process, the value delivered is worth the investment.
Your organization now has a clear plan of action upon which to base budgets, resource allocation, and action.
What’s The Bottom Line?
In this article, we’ve covered the basics and common steps on the journey towards NIST 800-171 compliance. While the steps listed may be common among gap analyses, approach yours with an open mind. Every environment is unique.
Now that you know what to expect from a NIST 800-171 gap analysis, you are ready to decide if this is something you can handle yourself or if you’d benefit from working with an outside consultant.
Experience has shown that certain businesses are better suited to handling this task internally than others, this includes those that:
- Have a large enough internal IT team that a few people can be pulled away for an extended period of time to hyper-focus on the needs of the analysis without impacting your internal IT support needs.
- Have an internal team with certified cybersecurity experts and registered practitioners with prior cybersecurity compliance experience.
If your company doesn’t fit those criteria, you may find that working with an external provider will be advantageous to help your organization avoid common mistakes that may compound the time and cost of reaching your compliance needs.
Keep in mind that for organizations that work with the Department of Defense, NIST SP 800-171 is a stepping stone toward the latest cybersecurity framework known as Cybersecurity Maturity Model Certification (CMMC).
If you are considering working with an external consultant, explore several options to find one that is the right fit for your organization and one that has experience helping companies like yours on the path to NIST 800-171 certification.
Feeling overwhelmed and just want to talk to a person? We get it and have experience helping organizations just like yours through this process. If you’d like to connect, use the button below to provide your contact information and one of our IT support specialists will get in touch.
