1. Home
  2. CMP Docs
  3. Overview


How to Use CMP – Quick Overview

There is only one reason to use CMP: to prove you’re compliant with NIST 800-171.
At a high-level, these are the steps you’ll need to take.

  1. Identify and describe the environment where CUI will be stored or processed.
    1. Organization Name
    2. Environment Name
    3. Environment Description
    4. Environment Contacts
    5. Operational Status
    6. System Boundary
    7. Interconnections
  2. Assess the environment against the 110 NIST 800-171 controls.
    1. Understand the control requirements, and determine if the environment satisfies the requirements.
    2. Assign a control status for each control: Passed, Failed, Not Applicable, Inherited.
      1. Passed – The requirements are clearly satisfied in your environment.
      2. Failed – Your environment is unable to meet some part of the requirements.
      3. Not Applicable – The control clearly does not apply to your environment (e.g. a wireless network control does not apply to your environment if you do not use wireless networking).
      4. Inherited – You are a customer of another organization that must comply with this control (e.g. you inherit the physical access controls of Amazon if all of your servers are hosted in AWS).
    3. Document your rationale for assigning a status for each control. If your environment passes a control, describe exactly why. If a control is not applicable, explain in detail and leave no room for questions.
    4. Upload evidence for all non-failed controls. This evidence might be a screenshot of a technical configuration proving you pass a control. It may be an organizational policy document, or a photo of a locked server cabinet. Make sure the evidence supports the claims you’ve made.
  3. Create Plans of Action (Remediations) for all failed controls.
    1. You can still maintain NIST 800-171 compliance with failed controls, as long as you’ve documented your intentions to correct any deficiencies.
    2. Describe the deficiency and the action you will take to comply with the failed control.
  4. Document all your results in a System Security Plan.
    1. Attest to the accuracy of the assessment by certifying the results.
    2. Generate a new System Security Plan at the completion of the assessment and anytime changes are made.