Stop Relying on NIST 800-171 Self-Assessments: 5 Reasons They’re (Probably) Wasting Your Time
As a CMMC Registered Practitioner Organization (RPO) with decades of cybersecurity experience, we have conducted countless assessments for organizations to help them address their compliance obligations and consistently notice that the vast majority of the organizations that have conducted self-assessments are strikingly off mark, leading to frustration, considerable time loss, and the unnecessary expenditure of valuable resources. While self-assessments may seem like a cost-effective way to evaluate compliance with the standard, we will discuss why they often present considerable issues that render them ineffective and why we strongly encourage any organization seeking compliance (OSC), to work with a trusted, verifiable consultant or RPO like TSI to provide a transparent, holistic assessment and implementation plan tailored to your organization’s needs and network environment.
The 5 Reasons Self-Assessments are Time-Wasters
To help clarify the pitfalls of conducting a self-assessment vs. one conducted by a CMMC RPO, we’ve identified 5 recurring problem areas that we’re hoping will help your organization proactively establish a solid and dependable baseline to work towards achieving compliance to NIST 800-171 and a successful CMMC outcome.
- Lack of objectivity: When organizations conduct self-assessments, the results can be biased and lack objectivity, leading to inaccurate compliance assessments. Many organizations also lack the necessary expertise to conduct an accurate assessment of their compliance posture to NIST 800-171 standards, resulting in inaccurate results which will ultimately lead to failure.
- Limited scope: Self-assessments often only evaluate a narrow scope of an organization’s operations, potentially overlooking important areas that are missing from their assessment results. The technical and complex language used in the NIST 800-171 standards can also be challenging to interpret, leading to potential misinterpretation of the requirements which lead to inaccurate self-assessments.
- No external oversight or accountability: Lack of oversight can result in organizations conducting lackluster assessments that fail to adequately address identified compliance gaps. Without external perspective or expertise, it is easy to overlook seemingly straightforward yet critical control requirements that otherwise should have been considered and investigated during the assessment process.
- Lack of expertise: Many organizations may face difficulties in conducting an accurate NIST 800-171 self-assessment due to a lack of expertise. The technical and complex language used in the standards can be challenging to understand, leading to gaps in the assessment process and inaccurate results. This underscores the importance of seeking external expertise.
- Misinterpreting the requirements: The technical and complex language used in the NIST 800-171 standards can lead to potential misinterpretation of the requirements, posing a significant challenge for organizations conducting self-assessments. Misinterpreting the requirements can result in an inaccurate self-assessment, which may lead to potential compliance issues. To avoid these issues, organizations should seek external expertise to ensure a comprehensive and accurate assessment.
The Most Important Factor to Consider: The Expertise Required for a Successful Assessment
To conduct a successful assessment, a team of skilled individuals with diverse backgrounds is critically necessary. A mix of professionals with expertise in hands on cybersecurity, IT, policy development, and documentation is crucial to cover all aspects of the assessment process.
Although it may be tempting to conduct a cost-effective self-assessment utilizing internal IT resources, relying solely on IT personnel can lead to costly oversights, especially in regards to policy and documentation development, considering it can represent approximately 70% of a C3PAO’s CMMC assessment will be focused on those specific items. While we have found that these internal IT resources can be invaluable in assisting with an assessment, oftentimes- and through no fault of their own- these resources simply lack the experience working within the NIST framework, which can lead to the misinterpretation of controls, missed opportunities for cost savings and in worst case scenarios expose your organization to unnecessary risk under the False Claims Act (FCA) or the loss of contract opportunities moving forward. Here are a few bullet-points to help clarify the potential risks associated with conducting self-assessments and to reiterate the importance of working with a reputable NIST/CMMC expert:
- 95%+ of our clients that had previously conducted a self- assessment and developed an SPRS score, are on average -100 points off from the score they reported.
- Reporting a score that isn’t accurate – regardless of the reason- can expose your organization to prosecution under the FCA which is why it’s so critically important to be accurately assessed. If you’re reporting a higher than average SPRS score (eg. 100+), we would highly recommend an independent 3rd party RPO verify your score’s accuracy. The DoD is actively auditing DIBs with remarkably above average scores, so it’s critically important that you have the appropriate measures in place that accurately reflect your stated compliance posture.
- Accomplishing NIST 800-171 and CMMC requires the implementation of a number of cybersecurity tools, solutions and methodologies. Unfortunately, many organizations with limited internal expertise, oftentimes implement solutions that they mistakenly believe will help them achieve compliance. This is due in part to deceptive marketing tactics but mostly due to the organization’s lack of understanding of what the NIST/CMMC controls require and the necessary solutions addressing those specific areas. It goes without saying that these mistakes are extremely costly and can inadvertently expose your organization to non-compliance.
Our cybersecurity and compliance team has decades of combined, direct experience supporting the DIB, and as a CMMC ready organization that has undergone a C3PAO assessment, we’ve invested significantly into R&D to identify the best, most cost-effective solutions available to help defense contractors achieve compliance. We have an acute understanding of what these compliance standards entail, and we know how DoD assessors and C3PAO’s think, which gives us an invaluable edge over most IT teams. We leverage our expertise to provide clear, actionable advice to our clients, ensuring that the time and money spent assessing their organization is always a dependable, solid investment.
Although self-assessments can provide organizations with an adequate picture of their current compliance to the NIST 800-171 standards, we’ve seen firsthand the limitations self-assessments present and strongly recommend that every organization seek the assistance of a CMMC Registered Provider Organization (RPO) to conduct a comprehensive assessment that accurately reflects their compliance posture. By working with a reputable RPO, organizations can ensure that their assessment is conducted with the highest level of expertise and objectivity, leading to accurate, reliable, and actionable results. At TSI, we are committed to helping these organizations achieve their compliance objective by providing them with the expertise and resources necessary to ensure a favorable certification outcome.
Are you struggling with developing an accurate assessment, SPRS score, SSP or POAM? Contact us today and visit our NIST 800-171 service support page to learn how we help similar DIBs address these stringent requirements:
TSI is 34-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers complete NIST 800-171 and CMMC support services to ensure their clients’ sustainable adherence to these expansive compliance requirements. Our team has decades of experience navigating the pitfalls of NIST compliance and would love to help you on your journey. For more information about TSI, please visit our site here:
Cybersecurity and Compliance Manager
Chris Riani joined TSI in 2021, and currently serves as our Cybersecurity and Compliance Manager. Chris has over a decade of experience in IT, with most of his time spent managing and protecting critical IT environments within the DoD and the private sector. A ten-year Air Force Veteran, his background includes Application Administration, Networking, and Systems Design, as well as Virtualization and Cloud Security.
Chris is a graduate of Champlain College in Vermont, where he studied a wide variety of technology and security focused topics. He holds numerous IT and security certifications, such as CompTIA’s CASP+ and is also a CISSP. It comes as no surprise that Chris’s true passion is bridging the gap between operational IT requirements and information security.
Outside of work, Chris enjoys coaching soccer, spending time with his family, and playing the guitar.