We received a frantic call one afternoon. The caller had dozens of specific questions about cybersecurity, NIST 800-171 and CMMC. As we answered each, and tried to put them at ease, the full story came out: They had done a review of their cyber posture and according to the checklist, they were failing miserably, with a NIST 800-171 that was -61 (negative 61!). The score had been briefed to senior management and did not go over well. They needed to fix things fast.
When it comes to cybersecurity scores and remediation, knowing is half the battle, and the rest is hard work. Understanding the standards and practices means learning a new language of cyberspeak and legalese.
The path to a fully functioning cyber program can be daunting, but achievable. Our experience has shown us a few tips and tricks to help tackle this beast:
1. Don’t think remediation will take one weekend.
Our client had been working on NIST and toward CMMC but never thought they would have a negative score. Even with outside help, remediation takes weeks and months, not days. Allow yourself time prior to needing to report your NIST score or certification to fully understand, plan for and remediate your issue(s). It also takes time to train for and mature practices and polish a fully operational cyber program.
2. Involve your team
Use the talent you have to help with crafting polices, training and outreach materials. A cyber program is not just about the tech; it involves the Big 3 – People, Processes and Tech. You can defray the cost and burden of your cyber posture by getting creative about using employee skills to help.
3. Call for help early
Don’t waste valuable time if it’s clear your needs exceed your knowledge. Outside companies and consultants that focus on cyber can step in, help you with a plan, and accelerate results. Our client’s panic led them to look for outside help. The good new is that they are very knowledgeable about cybersecurity but needed additional expert support to get over the finish line. Our team quickly reviewed their current poster and put together a logical plan to get their NIST 800-171 score positive and put them on a path to CMMC Level 3.
4. Use the resources
Both the Defense Department and NIST have resources to help with remediation. They’ve published great guides and other documents. There’s no need to reinvent the wheel; use what is publicly available to move you from point A to point B.
5. Even when you are done, you are not done
A good cyber program is always evolving and needs to nurtured. Once remediation is done you have a good foundation, but it will quickly fall apart or become outdated if not attended to. Just like a garden, you just can’t till the land, plant the seeds and walk away. CMMC will be updated as new threats emerge, so at a minimum, organizations will need to stay on top of the corresponding controls.
In a few weeks we cleaned up our rattled client’s technical controls, reviewed and made recommendations to policies and procedures, and established a standard meeting schedule to support their cyber program. The path from panic to compliance is not an easy one but with steady methodical steps, the right expertise, and cooperative work, it can be achieved.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Edward Tuorinsky, Managing Principal at DTS, a government consultant business, is a service-disabled veteran who brings nearly two decades of experience to DTS in the areas of leadership, management consulting and information technology services.