NIST 800-171 Risk Assessments: Straight Talk
What is a risk assessment, in the context of NIST cybersecurity compliance? What does it entail? When should we conduct the risk assessment? Who can do it for us, or can we do it ourselves?
Most companies pursuing compliance are looking for a tool or checklist…and believe that having the assessment done will set them on a clear path to compliance. There are some important truths to consider first.
KNOW THIS UP FRONT
Despite what some assessment companies advertise, a third party risk assessment does not certify your compliance with the NIST requirements… It is not a certifying factor toward compliance, but it is considered a best practice for companies who are truly invested in achieving compliance with the regulatory security standards.
It’s worth mentioning that the risk assessment itself does not hold any weight when a company is reviewed for NIST SP 800-171 compliance. This is an oft-cited belief, but deficiencies identified in the risk assessment will be presented in the Plan of Actions and Milestones (POAM). The POAM is a required document, but the risk assessment is not.
ARE YOU READY TO BE ASSESSED?
Before you do anything else, educate yourself by reading through the NIST requirements, alongside someone with a good sense of your current security practices. Having a basic understanding of what security measures need to be addressed will help you decide if the process is something you can afford, and want, to invest in. You can compare the requirements with current practices, to determine how much time and labor compliance might cost your company.
The value of a risk assessment that is completed at the right time is that it lets you target the less obvious areas of operational opportunity. So, show your basic security practices a little love and attention before doing the formal risk assessment.
Address your low-hanging fruit first — the obvious security measures that should already be in place and are relatively quick to address. Fixing these before the assessment will allow the audit to identify more detailed security opportunities. The assessment will be more targeted and meaningful: a detailed, actionable list of smaller, more manageable items.
CAN YOU DO YOUR OWN ASSESSMENT?
You can complete your own risk assessment. Be aware it is lengthy and potentially confusing, depending on the measures you have in place at the outset. There are risk assessment tools available that will walk you through your own risk assessment.
If you choose to do your own assessment, you may want to include someone in addition to (or instead of) your IT manager. The assessment is detail-oriented, so involving others (a Facility Security Officer or CIO, for example) will add a fresh set of eyes and another pair of hands to the process.
CAN YOU PAY SOMEONE TO DO YOUR ASSESSMENT?
An unbiased, third-party company remains best-practice for those considering a risk assessment. An assessment company possesses the in-depth knowledge and efficiencies to complete the inquiry quickly and competently. It will allow your IT and security staff to remain focused on their primary role responsibilities. And, it will remove the tendency that an insider might have to overlook or ignore some requirements out of unfamiliarity with the requirement.
Before you hire a company to complete your assessment, ensure you know what the process will yield. Some assessment companies create an actionable list of opportunities that, once addressed, will mean your company is in compliance with all of the requirements of NIST SP 800-171. Others, however, deliver only a score at the end of the assessment, representing how close to (or far from) compliance your business is.
WHAT’S THE PRE-WORK?
If you want to get the most out of your risk assessment, here are a few high-level items to address first. Getting these out of the way will enable your risk assessment to focus on more detailed items of opportunity and ensure that you have a good head start on your journey to compliance.
- Read NIST SP 800-171. Gain a basic understanding of the requirements for compliance.
- Have, or work with someone who has, an adequate understanding of your network, facility, and security practices.
- Understand the high-level, basic best practices for cyber- and physical security:
- Offer and require employee training on cybersecurity best practices.
- Address and maintain physical site security, and train employees on what those are.
- Do you have a functional: Ticketing system? Log aggregation tool? Active directory? Inventory tool?
- Are your security patches up to date? What about your hardware and software updates?
- How and where do you backup your data? Do you have a single point or redundant systems? What about ransomware?
- You have antivirus software, right? And an enterprise level firewall?
- Are your servers and all of your endpoints updated to an effective operating system?
ASSESSMENT IS DONE…WE’RE GOOD!
You did your pre-work and completed the assessment. You have a targeted list of deficiencies, know where to focus attention, and understand what to address so your systems and processes meet best practices for site- and cyber security. Feel good about that.
Now: address your deficiencies! Simply completing a risk assessment or identifying areas of need on the POAM is insufficient to demonstrate compliance with NIST requirements. Once you document what is broken, you must make demonstrable efforts toward addressing those areas of deficiency.
Once you’ve achieved cybersecurity compliance, remember that it’s an ongoing process and mindset. Dedicated risk assessments should to be done on an annual basis in an ideal world.
Cybersecurity means constant vigilance. Best practices keep pace with changing regulations which keep pace with evolving threats. That means that there is never an endpoint. It’s a state of constant monitoring, educating, and improving systems and processes, to keep our companies, and the data for which we are responsible, safe and protected.