$1,700.00
SKU:
P10-NCC
Availability:
Digital Download - Available Immediately

NIST 800-171 Compliance Criteria (NCC)

banner-ncc-2018.1.jpg

NIST 800-171 Compliance Made Easier

We listened to our customers and we created this product, based on the demand. We had an overwhelming request from companies to help them become NIST 800-171 compliant" Most have told use they do not know where to start, but they just know that this is a requirement they cannot run from. Both DFARS and FAR point to NIST 800-171 as the expectation for contractors to protect Controlled Unclassified Information (CUI). 

Comprehensive NIST 800-171 Compliance Criteria

If you are starting off on the journey to comply with NIST 800-171, then our NIST 800-171 Compliance Criteria (NCC) solution is a cost-effective and practical option. The NCC is an affordable and versatile tool that can serve several roles:

  • Guidebook to walk through each NIST 800-171 control requirement
  • Tool to perform a detailed gap assessment 
  • Plan of Action & Milestones (POA&M)
 

product-selection-2018.1-cybersecurity-policies-standards-procedures-controls.jpg

     

 

The NCC can stand alone or be paired with other specialized products we offer to help you achieve compliance with NIST 800-171.

If you can use Microsoft Excel, then you can use the NCC to understand your requirements for compliance with NIST 800-171. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:

  • NIST 800-53 rev4 mapping to NIST 800-171 requirements.
  • Reasonably-expected criteria to address the NIST 800-53 control.
  • Applicable "best practice" guidance on what steps you need to take to be compliant.
  • Self-assessment options to track where you are compliant and what needs work.
  • Use it as a check-list when you walk through with your auditor.
  • Edit if for your needs to show controls that are not applicable to your business model.

 

software-2018.1-no-software-to-install-v3.jpg

What Is The NIST 800-171 Compliance Criteria (NCC)? 

The NCC product is considered a "consultant in a box" product to provide consultant-level guidance on how to comply with NIST 800-171. What do you get if you buy the NIST 800-171 Compliance Criteria (NCC) product?

  • The NCC is a “consultant in a box” solution that is essentially a NIST 800-171 checklist in an editable Microsoft Excel format.
    • The NCC covers all controls in Appendix D of NIST 800-171.
    • It also covers Appendix E Non-Federal Organization (NFO) controls, which are required by contractors.
  • Each of the NIST 800-171 controls is mapped to its corresponding NIST 800-53 control.
  • Each of the NIST 800-53 controls are broken down to identify:
    • Reasonably-expected criteria to address the control.
    • Applicable compliance guidance;
    • Methods to address the requirement; and
    • Status of compliance for each control so you can use it for a self-assessment.
  • The NCC maps into the Written Information Security Program (WISP) and Digital Security Program (DSP) products, so they can work in concert together to make it easier to comply with NIST 800-171 since your organization can have NIST-based policies and standards to support NIST 800-171 compliance efforts.

 What Problem Does The NCC Solve?

  • Lack of In House Security Experience - Most prime and sub-contractors lack specialized expertise in NIST 800-171. Tasking your managers, IT personnel or security staff to research and write comprehensive documentation is not a wise use of their time. The NCC is an efficient method to obtain comprehensive guidance on NIST 800-171 compliance requirements. Most small contractors cannot afford tens of thousands of dollars in consultant fees to help become compliant with NIST 800-171. The NCC is designed with affordable compliance in mind, since it focuses on clearly calling out reasonably-expected security requirements, as well as possible technology solutions, where applicable. 
  • Compliance Requirements - NIST 800-171 is a reality that companies in scope for DFARS and FAR. The NCC is designed with compliance in mind, since it focuses on reasonably-expected security requirements to address the NIST 800-171 controls. You can even use the NCC as a Plan of Action & Milestones (POA&M) to identify and track control deficiencies.
  • Audit Failures - Without being able to demonstrate compliance with NIST 800-171, your organization will likely lose government contracts - it is as simple as that. The NCC is a tool that can jump start your organization towards being compliant with NIST 800-171 requirements.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The NCC can provide this evidence!

How Does The NCC Solve It?

  • Clear Documentation - The NCC is a Microsoft Excel spreadsheet, so it is editable for your needs. It provides not only guidance, but a method to track compliance. This can be helpful when filtering requirements to focus on the areas that need help.
  • Time Savings - The time savings are immense, as compared to writing something equivalent of the NCC yourself or hiring a consultant to write it for you!
  • Alignment With Leading Practices - The NCC is written to align your organization with NIST 800-53 rev4, since that is what all the NIST 800-171 Appendix D and E controls map to!  

  

Product Example - NIST 800-171 Compliance Criteria (NCC)

Our customers choose the NIST 800-171 Compliance Criteria (NCC) because they:

  • Have a need for clear guidance on what NIST 800-171 controls require
  • Need to be able to edit the document to their specific needs
  • Have documentation that is directly linked to NIST 800-53 and NIST 800-171 
  • Need an affordable solution

 

Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.

 

download-example-ncc-nist-800-171-compliance-criteria.jpg

 

Cost Savings Estimate - NIST 800-171 Compliance Criteria (NCC)

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time.This also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months.  

When you look at the costs associated with either hiring a consultant to write cybersecurity documentation for you or tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Purchasing the NCC offers these clear advantages:

  • Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars!
  • Compared to writing your own documentation, you can potentially save hundreds of man-hours and the associated cost of lost productivity. 
  • Orders are usually processed the same business day so you get your documentation quickly! 
2018.1-cost-comparison-ncc-hire-a-consultant.jpg

When you factor in approximately 80+ hours of a cybersecurity consultant and the internal staff time to perform reviews and refinements with key stakeholders, purchasing a NCC from ComplianceForge is approximately 7% ($22,000+ savings) of the cost as compared to hiring a consultant to write it for you!

 

2018.1-cost-comparison-ncc-bar-chart.jpg 2018.1-cost-comparison-ncc-diy.jpg

When you factor in 110+ hours of internal staff time to research, write and peer review cybersecurity documentation, purchasing a NCCfrom ComplianceForge is approximately 21% ($6,500+ savings) of the cost as compared to writing your own documentation!

 

FAR vs DFARS (NIST 800-171) Implications 

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. Many of our clients who need to address DFARS 252.204-7012 also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002, the NIST Cybersecurity Framework or NIST 800-53, since those are the most common security frameworks.

The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. 

This means that only the NIST 800-53 framework is going to meet FAR requirements of NIST 800171 - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage.

Not sure what CUI is or if you have CUI on your network? We have several free guides and videos that you can use to educate yourself on the matter or you can go to the US Government's authoritative source, the US Archives CUI Registry at https://www.archives.gov/cui/registry

far-2018.2-cybersecurity-requirements-nist-800-171.jpg

Useful Tool For NIST 800-171 Scoping 

The NCC is a fantastic tool to perform a requirement-by-requirement assessment of what is in scope and what is out of scope. If something is out of scope, you can easily mark the control as Not Applicable and provide justification for that decision in the notes column. From a walk-through perspective with an auditor, nothing beats doing a clear and concise walkthrough to set the stage for what the auditor is going to look at and what is out of scope!

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. 

When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). If scoping is done poorly, a company's Cardholder Data Environment (CDE) can encompass the enterprise's entire network, which means PCI DSS requirements would apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST 800-171 should be viewed in the very same manner.

NIST 800-171 Scoping Considerations

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.

nist-800-171-compliance-scoping-guide.jpg

Click here for a FREE GUIDE 

When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).

From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.

We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.


Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

 

Save Up To 45% With A Bundle! 

We have a few discounted bundles specifically tailored for clients who need to comply with NIST 800-171, but we can always make a custom package for you. Just give us a call or email us at support@complianceforge.com to request a custom package.

NCC Bundle #1 NCC Bundle #2 NCC Bundle #3 NCC Bundle #4
  bundle-ncc-b1-2018.1.jpg bundle-ncc-b2-2018.1.jpg   bundle-ncc-b3-2018.1.jpg     bundle-ncc-b4-2018.1.jpg

 

Which Product Is Right For You? 

Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.

 

product-selection-2018.1-cybersecurity-program-products.jpg

 

We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready!

 

product-selection-2018.2.jpg

 

Related Products

Reviews

  • 1. Well worth the money 5

    I can’t thank you enough for the tools you guys have created. It has saved us countless hours in the implementation of 800-171.

    - Director of Information Technology on Jan 10th 2018
  • 2. NIST SP800-171 Product 4

    Like the spreadsheet format. The value in this is the package is the following Columns,

    - Reasonably-Expected Criteria To Address Control Objective
    - Applicable Best Practice(s) Guidance

    These represent a degree of control specificity that was missing from our on-going effort.

    - Jan 24th 2017

Find Out Exclusive Information On Cybersecurity