Get comfy. You’ll be here for a while.
The Assessment View provides the full list of NIST 800-171 controls, broken up by control family. These controls follow the format 3.X.Y In this example, 3 corresponds to the section of NIST 800-171 where controls are defined, X corresponds to the control family, Y corresponds to the control number.
This view shows the status of each control (e.g. Passed, In Progress) and a circle indicating whether the control is completed.
Clicking on the status of a control drops you into the Control View.
The content of the Control View changes for each control. The top of the control view displays the control requirements.
You have the option of hiding completed controls in the Assessment View. This provides a more unobstructed view of the controls remaining to be addressed.
The control completion section describes the activities remaining for the current control. Once all activities have been performed, the control changes to Complete. After all controls are progressed to Complete, the entire Assessment will progress to Complete.
After reviewing the control, you’ll need to determine if your environment satisfies the requirements. A typical workflow would involve changing the status to In Progress after initial review, and finally to Implemented, Not Implemented, or Not Applicable (Previously “Passed”, “Failed”, or “Inherited”) after the environment has been reviewed to determine if the control requirements are met. The status can be changed by clicking the gear icon in the Control Status section.
After reviewing your environment against the control, you will need to fully document your findings by describing how you meet (or don’t meet) the requirements. The Assessment Results field is arguably the most essential part of the assessment. The information you include here will demonstrate your understanding of the requirements and your description of how the environment complies with the control. Don’t be afraid to go overboard. Assume a contracting officer will read each control result, and write as much as you think you is required to convince the reviewer of your compliance. If the control is Not Applicable, describe why in detail.
The internal notes field is available only within CMP and will not appear on any documentation.
Trust but verify… You’re going to want to attach some form of evidence backing up your results. Having evidence for each control will boost your credibility if your documentation is scrutinized. Ensuring evidence is associated with the specific control it supports will save you considerable time if you’re asked to retrieve proof of your results in the future. The filename of your evidence is included with each control in the System Security Policy.
To add evidence to a control, click the plus icon in the Evidence section of the Control View. The Add Evidence window will appear, allowing you to drag and drop documents and images.
All evidence associated with a control will be listed in the Evidence section. Click the Menu icon next to the evidence name to access several options including View, Download, Disassociate and Delete. Disassociation removes the evidence from one control, while Delete disassociates the evidence from all controls and subsequently deletes the file from the assessment completely.
Not sure what to use for evidence? Not to worry. CMP provides recommendations for each control. Sometimes a screenshot of a configuration setting is all you need. Other times, a company policy outlining expectations or rules is more appropriate. Look to the Evidence Recommendations section as a starting point.
If your organization doesn’t have a formal policy drafted already, you can create one in seconds by clicking the clipboard icon next to the recommended policy. This will take you to the Policy Generator page. More on that later.
CMP provides guidance and explanations for each control. The ComplyUp Comments section is a plain-language interpretation of the control requirements and offers straightforward advice on how best to handle each control.
Each control also provides “Questions for Consideration”. Asking yourself these questions helps you quickly get a sense of where you stand with each requirement. Including a response to each question in the Assessment Results will strengthen your case if you believe you meet the requirement.
The next dialog box contains “Additional Information”. This information is provided by NIST to help you better understand the details of the requirement.
The “NIST 800-171A Notes” section contains information regarding NIST SP 800-171A: “Assessing Security Requirements for Controlled Unclassified Information”. 800-171A is a companion document published by NIST to provide assessors with a methodology for performing an assessment. To view to items listed, simply click the magnifying glass to the right of each item.
Each NIST 800-171 control can trace its roots to one or more FISMA controls. Although you don’t need to comply with the FISMA controls, they may give you a better understanding of the control you’re assessing. You can view the details of the related FISMA controls by clicking the icon next to the control in the Related FISMA Controls section.