The 4 Phases for NIST SP 800-171/CMMC consulting to prepare for a Conformity Assessment.
Peak InfoSec's NIST SP 800-171 & CMMC Consulting Methodology

CMMC & NIST SP 800-171 Consulting

Unless a client wants just limited consulting hours to ask specific questions about implementing NIST SP 800-171 in preparation for a Cybersecurity Maturity Model Certification (CMMC) Conformity Assessment, Peak InfoSec follows the methodology depicted above. Once Peak InfoSec became an Authorized CMMC 3rd Party Assessment Organization (C3PAO), we found following this methodology to be even more critical to prepare clients for the rigors of a Defense Industrial Base Cybersecurity Assessment Organization (DIBCAC) non-voluntary audit, a Joint Surveillance Voluntary Assessment (JSVA), and to prepare for CMMC.

Our past 7 years of experience working on getting clients ready to meet 48 CFR § 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and fulfilling NIST SP 800-171 Security Requirements forged this methodology.  We also use this same methodology for compliance work on other information security frameworks.

Phase 1: Gap Assessment

Phase 1 of our consulting methodology is to always conduct a Gap Assessment.  Implementing a security framework requires Peak InfoSec to:

  1. Understand where your organization is at on its Information Security journey and to understand your operating environment.
  2. Understand where your organization processes, stores, and transmits Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  We also look at the other types of sensitive data your organization may handle, such as International Traffic in Arms Regulations (ITAR)/Export Administration Regulations (EAR) that may influence your compliance.
  3. Understand your organization’s misconceptions about implementing NIST SP 800-171 per Federal laws, regulations, and DoD CIO Guidance.

The latter two areas are the ones where organizations get into the most trouble with a C3PAO or DIBCAC during their conformity assessment.  The Gap Assessment Phase is made up of 5 steps:

  1. Baseline Understanding of FCI & CUI
  2. Scope the Environment
  3. Review Security Requirements for Conformity
  4. Identify Gaps and Deviations
  5. Provide Recommended Remediations

For more information about Phase 1: Gap Assessment, please go to CMMC Consulting Phase 1: Gap Assessment.

Phase 2: Design & Plan

After completing the Gap Assessment in Phase 1, the next phase of our methodology is Phase 2: Design & Plan.

While the graphic above depicts this running serially, our best clients that are committed to getting compliant run Phases 2 & 3 in serial.

Phase 2 starts with the sub-phase of Design.  In design, we take all of the recommended remediations identified in Phase 1 and define your end-state, to-be architecture.

The send-subphase is Plan.  The purpose of Plan is to create your organization’s Plan of Action & Milestones (POA&M) in order to address all of the deficiencies identified in Phase 1.   Plan has four steps we follow:

  1. Fill-in “One-Day” Gantt Chart
  2. Resource the Project Plan
  3. Finalize Timing
  4. Manage POA&M Revisions

The last step is actually a feedback loop from CMMC Consulting Phase 3: Remediation.  For more information about this phase, please go to CMMC Consulting Phase 2: Design and Plan

Phase 3: Remediation

Phase 3 is all about resolving your organization’s identified deficiencies.

Phase 3 involves working through the identified deficiencies as the NIST SP 800-171 Assessment Objective to system component level.  Coming out of this will be your organization’s Policies, Plans, Procedures, and Organization Defined Parameters (ODP).  This is all driven by your organization’s governance function.

As a part of this phase, we also conduct Pre-Assessment Readiness Reviews (PARR) for each requirement as it flips from NOT MET to MET.

This helps us gauge your organization’s conformity as the remediation phase iterates.

The Remediation Phase also provides a final gut-check regarding if your organization is ready to contract in a C3PAO to conduct your conformity assessment.

For more details about this phase, please go to CMMC Consulting Phase 3: Remediation.

Phase 4: Conformity Assessment Support

The last phase of our methodology is Phase 4: Conformity Assessment Support.  As an authorized C3PAO, we work with you and your team to facilitate your CMMC Conformity Assessment being conducted by another C3PAO or by DIBCAC in case this is a non-voluntary NIST SP 800-171 audit.

Regardless of who your organization chooses to help you get ready for NIST SP 800-171 & CMMC, you want that consultant at your table during this event.  We liken a formal Conformity Assessment to an IRS audit.  IRS Auditors and Accountants speak their own language loaded with jargon and nuances.  You want someone who understands that during your assessment.

Please jump to CMMC Consulting Phase 4: Conformity Assessment Support for more specifics.

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

Information Security Turnaround Specialists