Plans of Action
1 Active Assessment
Plans of Action
3 Active Assessment
The DoD expects compliance with NIST 800-171 to be an ongoing process instead of a snapshot in time. Contractors are required to continually review and update control responses and refresh the System Security Plan on a regular basis.
3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
An annual subscription to ComplyUp allows you to update requirement responses and generate new System Security Plans as often as necessary.
If you expect to invite a technical coworker or consultant to collaborate with you, the Small Business Plan makes sense. You’ll each have an account and can provide control responses and evidence uploads concurrently.
If you are a larger organization that has multiple environments containing CUI, choose the Enterprise Plan.
In order to answer this, you must first determine how many sites you have with IT equipment that will store or process CUI data. This can include data centers, cloud systems, and offices or manufacturing sites with servers or workstations. Do not include sites that have no access to CUI data, like corporate offices with workstations that only perform business or administrative activities. Then work your way through the following question list.
1. How many sites with CUI do you have?
One Site – You only need 1 assessment.
Two or more Sites – Continue to the next question.
2 If you assessed one site, would the bulk of your responses to the requirements be the same for all other sites? In other words, are all IT system types and configurations essentially the same across all sites? Do all sites adhere to the same corporate policies regarding IT system configuration and use?
Yes – You only need 1 assessment.
No – Continue on to the next question.
3. Are the IT systems, configurations and policies different for each site?
Yes – The number of assessments you need is equal to the number of sites you have.
No – Group sites together that are built out and configured similarly, so the bulk of your responses to the requirements are the same for all sites in the group. Each of these groups of sites would require one assessment.
If you’re still unsure how many assessments you’ll need, feel free to contact us to discuss your specific situation.
While active in CMP trial, navigate to the top of the page to the “Upgrade” button. When clicked, you will be redirected to the payment page to input your information and payment method. Your card will be charged immediately and you will have full access to CMP.