[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]
[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_column_text]The Assessment View provides the full list of NIST 800-171 controls, broken up by control family. These controls follow the format 3.X.Y In this example, 3 corresponds to the section of NIST 800-171 where controls are defined, X corresponds to the control family, Y corresponds to the control number.[/vc_column_text][vc_column_text]This view shows the status of each control (e.g. Passed, In Progress) and a circle indicating whether the control is completed.[/vc_column_text][/vc_column][vc_column width=”2/6″][vc_single_image image=”11794″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_column_text]Clicking on the status of a control drops you into the Control View.[/vc_column_text][vc_column_text]The content of the Control View changes for each control. The top of the control view displays the control requirements.[/vc_column_text][/vc_column][vc_column width=”2/6″][vc_single_image image=”11603″ img_size=”full” alignment=”center” style=”vc_box_rounded”][vc_column_text]
You have the option of hiding completed controls in the Assessment View. This provides a more unobstructed view of the controls remaining to be addressed.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]The control completion section describes the activities remaining for the current control. Once all activities have been performed, the control changes to Complete. After all controls are progressed to Complete, the entire Assessment will progress to Complete.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_single_image image=”10213″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][vc_single_image image=”10214″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Control Status
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_column_text]After reviewing the control, you’ll need to determine if your environment satisfies the requirements. A typical workflow would involve changing the status to In Progress after initial review, and finally to Implemented, Not Implemented, or Not Applicable (Previously “Passed”, “Failed”, or “Inherited”) after the environment has been reviewed to determine if the control requirements are met. The status can be changed by clicking the gear icon in the Control Status section.[/vc_column_text][/vc_column][vc_column width=”2/6″][vc_single_image image=”11721″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”11720″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Assessment Results
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]After reviewing your environment against the control, you will need to fully document your findings by describing how you meet (or don’t meet) the requirements. The Assessment Results field is arguably the most essential part of the assessment. The information you include here will demonstrate your understanding of the requirements and your description of how the environment complies with the control. Don’t be afraid to go overboard. Assume a contracting officer will read each control result, and write as much as you think you is required to convince the reviewer of your compliance. If the control is Not Applicable, describe why in detail.[/vc_column_text][vc_column_text]The internal notes field is available only within CMP and will not appear on any documentation.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”11796″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Evidence
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]Trust but verify… You’re going to want to attach some form of evidence backing up your results. Having evidence for each control will boost your credibility if your documentation is scrutinized. Ensuring evidence is associated with the specific control it supports will save you considerable time if you’re asked to retrieve proof of your results in the future. The filename of your evidence is included with each control in the System Security Policy.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_column_text]To add evidence to a control, click the plus icon in the Evidence section of the Control View. The Add Evidence window will appear, allowing you to drag and drop documents and images.[/vc_column_text][/vc_column][vc_column width=”2/6″][vc_single_image image=”10221″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”10222″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]All evidence associated with a control will be listed in the Evidence section. Click the Menu icon next to the evidence name to access several options including View, Download, Disassociate and Delete. Disassociation removes the evidence from one control, while Delete disassociates the evidence from all controls and subsequently deletes the file from the assessment completely.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”10223″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]Not sure what to use for evidence? Not to worry. CMP provides recommendations for each control. Sometimes a screenshot of a configuration setting is all you need. Other times, a company policy outlining expectations or rules is more appropriate. Look to the Evidence Recommendations section as a starting point.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_single_image image=”10227″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][vc_column_text]If your organization doesn’t have a formal policy drafted already, you can create one in seconds by clicking the clipboard icon next to the recommended policy. This will take you to the Policy Generator page. More on that later.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Assessment Guidance
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]CMP provides guidance and explanations for each control. The ComplyUp Comments section is a plain-language interpretation of the control requirements and offers straightforward advice on how best to handle each control.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”11798″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]Each control also provides “Questions for Consideration”. Asking yourself these questions helps you quickly get a sense of where you stand with each requirement. Including a response to each question in the Assessment Results will strengthen your case if you believe you meet the requirement.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”11800″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]The next dialog box contains “Additional Information”. This information is provided by NIST to help you better understand the details of the requirement.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”11801″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_column_text]The “NIST 800-171A Notes” section contains information regarding NIST SP 800-171A: “Assessing Security Requirements for Controlled Unclassified Information”. 800-171A is a companion document published by NIST to provide assessors with a methodology for performing an assessment. To view to items listed, simply click the magnifying glass to the right of each item.[/vc_column_text][/vc_column][vc_column width=”2/6″][vc_single_image image=”11802″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”2/6″][vc_single_image image=”10230″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][vc_column_text]Each NIST 800-171 control can trace its roots to one or more FISMA controls. Although you don’t need to comply with the FISMA controls, they may give you a better understanding of the control you’re assessing. You can view the details of the related FISMA controls by clicking the icon next to the control in the Related FISMA Controls section.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_single_image image=”10231″ img_size=”full” alignment=”center” style=”vc_box_rounded” onclick=”img_link_large” img_link_target=”_blank”][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Assign Personnel to Controls, POA&Ms, etc.
[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”4/6″][vc_column_text]Please visit the Environment page to learn more.[/vc_column_text][/vc_column][vc_column width=”2/6″][/vc_column][/vc_row]
