Comprehensive

Evaluation Of

Compliance

With NIST

SP800-171

Protecting 

Controlled

Unclassified 

Information

In Non-Federal

Systems And

Organizations

Comprehensive

Evaluation Of

Compliance With

NIST SP800-171

Protecting Controlled Unclassified

Information in Non-Federal

Systems and Organizations

  • Compliance

NIST SP 800-171, authored by the National Institute of Standards and Technology, serves as a comprehensive framework designed to safeguard Controlled Unclassified Information (CUI) within nonfederal systems and organizations. This critical set of guidelines is applicable to a diverse range of entities outside the federal sphere, including academic institutions, state and local governments, and private sector companies, particularly those managing or interacting with CUI under federal government contracts. The directive mandates these organizations to rigorously implement and maintain the security measures delineated in NIST SP 800-171. Compliance with these standards is integral to ensuring the secure handling of sensitive information, thereby fortifying the mutual trust and integrity essential in the collaborations between the federal government and its nonfederal partners.

Sigma Technology will undertake a comprehensive Gap Assessment for customers. This assessment strategically focuses on aligning the company’s existing cybersecurity practices with the stringent requirements set forth in NIST SP800-171. The objective is to meticulously identify and address any discrepancies or shortcomings in current security protocols. Furthermore, Sigma Technology will extend its expertise in aiding companies to develop a robust System Security Plan (SSP), conduct a thorough Gap Assessment, and systematically prioritize corrective actions.

Scope the Assessment:
⦁ Determine the boundaries of the CUI environment.
⦁ Identify the systems, people, and processes that interact with CUI.

Develop System Security Plan (SSP):
⦁ Create an SSP that outlines how each control is or will be met.
⦁ The SSP should detail the processes and systems in place to protect CUI.

Conduct a Gap Analysis:

⦁ Compare current practices against the 110 controls across the 14 control families to identify gaps.
⦁ Document current compliance status for each control.

Develop Plans of Action and Milestones (POA&Ms):

⦁ For controls not fully implemented, create POA&Ms.
⦁ POA&Ms should outline tasks, resources required, completion dates, and milestones for achieving compliance.

Assessment and Documentation:
⦁ Use NIST SP 800-171A to assess the implementation of each control.
⦁ Document findings and evidence of compliance for each control.

Remediate Deficiencies:

⦁ Address any deficiencies found during the assessment.
⦁ Update the SSP and POA&Ms as controls are implemented or remediated.

Continuous Monitoring:

⦁ Establish a process for ongoing monitoring of compliance with NIST SP 800-171.
⦁ Periodically update the assessment package to reflect changes in the environment or controls.

Create the Assessment Package:

⦁ Compile all documentation, including the SSP, POA&Ms, assessment results, and evidence of compliance.
⦁ Ensure the assessment package is organized and easy to follow.

Secure the Package:

⦁ Protect the assessment package as it may contain sensitive information about client’s security practices.
⦁ Control access to the package and share it only with authorized individuals.

Policy and Procedures/Documentation Requirements:
During this engagement, we will assist the client with the development of below Policies, Procedures and Plans


⦁ Access Control Policy
⦁ Security Awareness and Training Policy
⦁ Audit and Accountability Policy
⦁ Configuration Management Plan
⦁ Identification and Authentication Policy
⦁ Incident Response Plan
⦁ Maintenance Policy

⦁ Media Protection Policy
⦁ Personnel Security
⦁ Physical Protection
⦁ Risk Assessment
⦁ Security Assessment Policy and Procedures
⦁ System and Communication Protection
⦁ System and Information Integrity

Services Brief

  Sigma Technology Profile (June, 2023)

  Capabilities Statement

  ISO-27001 Services Brief

  CUI Program Compliance

 

 

  • Compliance

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information, and that enforce noncompliance.

The readiness assessment is recommended prior to the validated assessment in order to identify control weaknesses that need correction. Sigma Technology’s deliverables from the readiness assessment include:

  • Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls
  • Control gaps and areas of improvement
  • Prioritized observations and recommendations for remediation
  • The advantage of performing a readiness assessment prior to a HITRUST assessment is to give management an opportunity to address control gaps prior to an inaugural examination as well as help with required risk assessment activities

Services Brief

  Sigma Technology Profile (June, 2023)

  Capabilities Statement

  ISO-27001 Services Brief

  CUI Program Compliance