I have written in the past about using a tool to assess your organization’s compliance against a security standard. There are several that exist. ISO, CIS, and FISMA are some of the more well-known frameworks. Up to now, we have recommended CIS Controls, because they can account for the size and technical sophistication of the organization. Recently we came across a new (to us) tool, ComplyUp, that we will be trying out. You may see us recommending use of this tool in the future. Let me explain why.
Use What Works
Before I go into ComplyUp, I want to reiterate our core recommendation. Use whatever security compliance framework and tool works best for your organization. As always, the salient considerations as you look at compliance tools are
- Does the compliance tool help you structure your security program?
- Is the compliance tool adaptable to your organization’s situation?
- Are you likely to use the tool to work through the construction of your security program?
How Compliant Do You Need to Be?
We are looking at ComplyUp because one of our customers plans to do business with the US Department of Defense (US DoD). Demonstrating compliance to a cybersecurity standard is a different animal than your run-of-the-mill “aspirational” compliance approaches. US DoD has a much higher standard for cybersecurity compliance than what most of our customers need. Still, we see some benefits for ComplyUp even if you are not planning to transact business with a national government.
Diving into ComplyUp
ComplyUp is built on the NIST 800-171 security framework. The NIST framework has a lot of depth (more on that in a moment), which is why we initially gravitated to the “lighter” CIS Controls. We have found more customers asking us to use NIST as the framework for their security programs, so we decided it was worth a deeper look.
NIST 800-171 comprises fourteen compliance areas, each with several requirements. Here is a list for you.
- Access Control (22 requirements)
- Awareness and Training (3 requirements)
- Audit and Accountability (9 requirements)
- Configuration Management (9 requirements)
- Identification and Authentication (11 requirements)
- Incident Response (3 requirements)
- Maintenance (6 requirements)
- Media Protection (9 requirements)
- Personnel Security (2 requirements)
- Physical Protection (6 requirements)
- Risk Assessment (3 requirements)
- Security Assessment (4 requirements)
- System and Communications Protection (16 requirements)
- System and Information Integrity (7 requirements)
This can seem like an overwhelming list. However, like other security frameworks, you are allowed to say what does or does not apply in your circumstance.
One nice feature of NIST 800-171 is that you can achieve compliance via self-attestation. Meaning, you do not have to hire an expensive firm to assess your compliance and give you your gold star.
In NIST’s world, you follow these steps to claim compliance.
- Assess the environment where non-classified information is stored against the 800-171 requirements.
- Document findings and generate a System Security Plan (SSP) & Plans of Action (POAs).
- Calculate your score using your SSP and submit that score to the federal government.
- Remediate the requirements you don’t satisfy by changing configurations, deploying solutions, or updating your company policies.
- Monitor your organization and update your documentation periodically to accurately reflect your security posture.
The Slog of Working Through a Compliance Plan
Unless you are like our Defense Department contractor, you won’t need to submit a score to the US government. But ComplyUp is useful for you, even in this situation. Let me explain with an example.
We have been working with a customer in Africa who asked us to help them implement a security program based on the NIST 800-171 framework. No problem! Happy to help!
We have worked through all the assessment areas and their subtending requirements. That spawned a family of spreadsheets as we documented each requirement, assessed its applicability, determined its level of implementation, and noted required actions to gain compliance.
We now meet weekly to go over each spreadsheet. Our Program Manager notes what progress has been made against each requirement, what is left to be done, who has the action, etc. Even with the spreadsheets it is hard to gauge our progress. And it is especially difficult to summarize where we are for executive management.
This is where ComplyUp can help.
The ComplyUp Secret Sauce
The real value of ComplyUp is that the tool will lead you through a question-and-answer session on the 100-odd NIST 800-171 requirements. Out of that session, ComplyUp will automatically generate a System Security Plan and your Plans of Action and Milestones. (ComplyUp will also generate your NIST 800-171 score if you do plan to do work with the US government.) It is this System Security Plan and associated Plans of Action and Milestones that are the ComplyUp jewels here. You have customized, ready-to-use plans to guide your actions and note your progress. The plans are encrypted and stored on ComplyUp’s servers, which is a plus if you are working with the US government. For others, that is more of a nice-to-have feature.
How much time have you spent creating an action planning tool? And an executive reporting tool? It would be nice to have the tool built for you, allowing you to focus on completing your compliance tasks and capturing your progress. I have seen too many customers thrash about, trying to find the project plan and action points from a prior cybersecurity audit. Wouldn’t it be nice to have an always-up-to-date plan to work from?
ComplyUp is priced on a subscription basis. This makes sense if you are an organization that needs to continually demonstrate compliance to NIST 800-171. However, most of our customers would do well with a compliance audit every few years.
I will provide updates as we work with this tool. Stay tuned!
I like the CIS controls, and am aware of NIST, but I see that ComplyUp also supports CMMC compliance. While that compliance is important to the DoD, do you see growing interest in that framework?
Hi Scott, We haven’t seen specific requests for CMMC. I don’t think there is any clear leader in standards right now. Pick the one that works for you and follow that!