What to expect from a NIST 800-171 gap analysis
I’ve been having many conversations with manufacturers about their need to get aligned with an interim rule put out by the Department of Defense (DoD) recently.
The basic deliverables of that rule are to submit the score a supplier achieves following a gap analysis based on the controls listed in the NIST Special Publication 800-171 document.
Sounds simple right?
I can tell you from experience that the idea is not clearly defined within the rule.
Furthermore, there’s a lot of missing information out on the web about what’s needed. I’m going to describe for you what this process entails, why it's important and what happens afterward.
After reading through this article, you’ll have a better understanding of what a gap analysis is, the steps you can expect for a gap analysis against the controls listed in NIST SP 800-171, and how to work through them.
What is a gap analysis?
Before we get into the process, deliverables, and outcomes, let’s define what we’re talking about.
In business jargon, a gap analysis is a structured comparison of the current state of business attributes to the desired state of those same attributes.
This is ambiguous and doesn't relate well to the conversation at hand.
Let’s think of it in a real-world setting. For the sake of our NIST example, the gap analysis will compare how you treat your security (cyber, physical, etc.) today compared to the controls (practices) listed in the NIST documentation.
There are 110 of them in the NIST 800-171 documentation and the interim rule’s deliverable includes telling the DoD how you stack up.
Specific considerations for a NIST gap analysis
We have defined our NIST gap analysis. But what does it mean in practice? Let’s put a couple of assumptions in place to frame this correctly.
As a DoD supplier, IT and cybersecurity are likely not your primary work function. Your business likely does something for, produces something for, or finishes something for the DoD.
To do that work, you receive certain kinds of physical, technical, or administrative information. As such, you need to operate in a manner consistent with these controls.
That said, you’re not going about this process by yourself. You’re working with an experienced IT and cybersecurity partner to go through this gap analysis process.
We'll also presume that because the DoD business is important to your company, you intend to follow through and work towards the complete achievement of the controls outlined in the NIST document.
This will allow you to retain your current contracts and ensure you can continue competing for future ones.
Step 1: Interviews and questionnaires
Your consulting partner will coordinate a set of conversations with your team based on groupings of the controls or questions that need to be answered.
Since there’s a good number of them, it’s not productive to attempt to just plow through them all in one shot. You can expect to receive a set of questions ahead of time to be covered across multiple sessions.
This provides your team time to research the data needed, align the right resources, and be comfortable with the subject matter.
What to expect from the interviews
Interview sessions work best when they’re limited in scope and last no more than about two hours. Expect to repeat this at least two-three times after the initial session depending on how they go and how much is covered in each.
Often there’s additional Q&A that takes place from both sides during these calls. It's imperative to keep a flexible mind about the total duration and commitment of time.
Your team must come away with a good understanding of your current state and knowledge of the gaps along the way.
Step 2: Scoring
Once all the interviews are done and questions answered, your consulting partner will compile the controls and notes for each. You’ll then have your resulting score for the gap analysis.
This is one of the components of the data needed to upload into the Supplier Performance Risk System (SPRS) as outlined in the interim rule.
How you’re scored
What’s important to understand for this specific process and the NIST controls is that the scoring is a reductive measure, not additive.
That means that when a control is missing or not fully implemented, a number of points (1,3,5) are reduced from the overall score. This differs from the typical idea of “adding up” all the correct answers and totaling for a score.
This means that it’s possible to get a negative score on the gap analysis.
Don’t let that distract you from staying the course. The intent of this process is not to “score” well but to perform the gap analysis and start the process of working towards a score of 110. The actual score you enter into SPRS is not a measurement of success, but rather just a piece of data.
Step 3: Developing your Plan of Action with Milestones (POAM)
After the score is calculated, the next step in the process is to develop a Plan of Action with Milestones or POAM.
This is essentially a high-level project plan with the basics of what is missing, a general plan of action, and when to expect achievement. It is a slimmed-down plan without lots of the common components of a full-fledged project plan.
However, it provides general guidance for your team (you and your consulting partner) as well as demonstrates your commitment to resolving the present gaps in the security framework of your business today.
This POAM is also another component of the data that needs to be uploaded into SPRS.
Your consulting/IT partner will prioritize the controls to be addressed. The considerations for prioritization include how much of the NIST framework each can remedy along with budget, resources, and timelines.
As you review this together, you will get a clear picture of the work ahead as well as what you can do yourselves. It will also become clear what you’ll need to outsource or collaborate on with your consulting partner/IT provider.
Step 4: Developing your System Security Plan
The next piece of data in the NIST gap analysis process is the System Security Plan or SSP. This is a living document and may be sparse at first depending on the current state of your cybersecurity controls.
Over time it will grow to include all the policies, practices, and references to change management that relate to physical and IT security controls. The document that comes out of this gap analysis process is sufficient for submission to SPRS.
It acts as the third piece of data required for compliance with the interim rule.
Step 5: Determining completion date
The remaining piece of data needed for SPRS is the “completion date.” Think back to the score discussion above and how it's not as much about the score itself. Rather, it reflected that you did the work to get the score in the first place and now will focus on improving it to 110.
We see that same concept with the completion date.
Now that you have the score, POAM, and SSP, discuss with your consulting partner/IT provider and come up with a completion date. This is a realistic date by when your team will achieve complete compliance with all the NIST 800-171 controls.
That becomes your target date and waypoint towards other compliance frameworks like CMMC.
Step 6: Improving your cybersecurity with the gap analysis completed
With the four pieces of data in hand (score, POAM, SSP, and completion date), you’ve now completed the gap analysis process. You’re ready to start on the journey of improving your cybersecurity hygiene and systems.
While there is a commitment of time, energy, and resources throughout the process, the value delivered is worth the investment. Your organization now has a clear plan of action upon which to base budgets and resource allocation over the coming months and quarters.
Attempting to skirt around the gap analysis investigation and process will only result in spending that time and money later. Perhaps more of each depending on the missteps in the early going.
The research done upfront creates a more engaged remediation plan as well as a better-informed team primed to do the work.
Should you work with a consultant?
These have been the basics and common steps on the journey towards NIST compliance in the Defense Supply Chain. Remember that every environment is distinct. While the steps listed may be common among gap analyses, approach yours with an open mind.
Knowing what to expect now from a NIST 800-171 gap analysis, you have to determine if this is something you can handle yourself or if you’ll want to work with an outside consultant. We’ve found that certain businesses are a better fit than others for that arrangement.
An outside consultant may not be the best fit for you if:
- You’ve got a large enough internal IT team that you can pull a few of them away for an extended period of time to hyper-focus on the needs of the analysis without impacting your internal IT support needs.
- Your internal team has certified cybersecurity experts and registered practitioners.
- Your internal team has prior cybersecurity compliance experience.
If your company doesn’t fit all of those above criteria, we’ve found that working with an outside consultant is likely a better fit for you.
By working with a consultant, you’ll avoid common mistakes that may compound the time and cost of reaching your compliance needs. It can also get you back to working on what you do for the Defense Supply Chain rather than laboring towards being able to work with them again.
Work with the DoD? NIST 800-171 is just a first step
Furthermore, if you are working with the DoD, compliance with the controls in NIST SP 800-171 is a stepping stone. The DoD is now also requiring compliance within the CMMC framework for which NIST 800-171 is just a first step.
I’ve had this conversation with numerous companies in the Defense Supply Chain. This doesn’t have to be an intimidating process if handled properly from the start.
Kelser has helped businesses like yours become compliant with any number of standards or frameworks (NIST, CMMC, HIPAA) over the years. We have Registered Practitioners on staff that know where you are, what you're going through, and how to get you to your goal of compliance.
No matter where you are in the U.S., your number of employees, what you do for the Defense Supply Chain, or where you are in your compliance journey, please feel free to reach out to me with any questions.
It only takes a bit of time to work through your concerns and align you and your company for your next step.