Last Updated on January 18, 2024
With the US Department of Defense (DoD) moving towards a “continuous compliance” model for NIST 800-171, how can SMBs in the defense industrial base (DIB) efficiently and effectively create compliance policies and procedures? What do you need to monitor? How should you collect the data to show compliance? Where to even begin?
To help SMBs in the DIB get a handle on continuous compliance—including ideas and examples to help you get started—a recent episode of The Virtual CISO Podcast features Andrea Willis, Senior Product Manager at Exostar. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Examples of what controls to track for compliance
NIST 800-171 has 110 controls, and demonstrating compliance with a control means showing two forms of evidence of its “persistent and habitual” execution. Sounds like a lot of data collection!
Andrea starts with a typical example: access control. “It’s one of the biggest areas—22 different controls—and one of the biggest areas within that is you have to control and monitor remote access sessions,” Andrea notes. “So, you’re going to have to show that you have the controls and the processes in place.”
“But then you’re also going to have to show continuous monitoring,” Andrea relates. “You’re going to have to track—if it’s a monthly or weekly report, whatever—that you’re actually doing that monitoring along with it. ‘Continuous’ is more than just doing the policies and procedures. That’s the first step. But then you actually have to show that you have monitoring in place.”
Another example is physical protection controls. If you have visitors coming into an office or data center, you need to have appropriate policies in place. But you also need to document that visitors comply with the policies; e.g., that they’re escorted while inside the facility.
“Life is continuous, right?” quips Andrea. “All these controls need to keep going, and you need to document that you have the policies and procedures in place and that you’re consistently following them.”
Implementation is easier than operation
Based on experience helping SMBs build out strong cybersecurity programs, John observes that it’s usually easier to implement controls than to “operationalize” the program. That is, establishing the processes to make sure that controls are working on a continual basis and that mechanisms are in place to identify hiccups and collect the artifacts needed to prove compliance.
Andrea points out that third-party support can really help with operating a cybersecurity program: “One thing that keeps coming up is the personnel, the people to do the jobs. SMBs are not finding and keeping the resources because of intense competition. That’s where the MSP or MSSP becomes critical. They can help organizations operationalize because they can augment your resources or augment the service that you need to reach compliance.”
As an example, Andrea cites Identity & Access Management: “You can get that service from an MSP. They can package the software for you and give you back the compliance reports that your internal person would then have to verify.”
Many SMBs may lack in-house skills to even start implementing a control, let alone run it.
“That’s what I see more with the customers I talk to, is how do they get the skills for things they don’t have in-house that they know they need,” says Andrea. “Especially as DoD has identified a number of controls as being more critical, which is why they have that ‘minus-5’ weight when you start looking at the SPRS score.”
A trusted ecosystem
Maintaining compliance with a robust cybersecurity standard like NIST 800-171 takes the right skills and tools.
“The way we see it is you need the expertise on the front side to know what controls need to be in place and how to define those and get them documented,” John advises. “The next thing you need is what we call the trusted ecosystem necessary to execute those controls.”
“A trusted ecosystem means two things,” John adds. “It means the right people—people with the right qualifications, the right scope of knowledge, the right amount of bandwidth and time. And then you also need the right product. Because often you’ll be reliant on a product like you mentioned, an Identity & Access Management or Multifactor Authentication (MFA) or Security Information & Event Management (SIEM) solution… These things in optimal combination are going to position you for moving towards that state of continuous compliance.”
What’s next?
For many SMBs looking to jumpstart a continuous compliance program, the first question often is “Where do we start?” Third-party specialists can offer invaluable guidance tailored to your unique situation, including staff and budget.
To start brainstorming with a NIST/CMMC expert, contact Pivot Point Security.
To listen to the podcast episode with continuous compliance advocate Andrea Willis in its entirety, click here.