What Documentation Should You Have for NIST SP 800-171?
By: Omer Kaan Aslim
November 15, 2021
A cybersecurity program isn’t really a formal program until it is documented.
A cybersecurity program isn’t a real cybersecurity program until it has documentation in place that records policies, plans, and procedures. With the announcement of CMMC 2.0, maturity levels and processes are now gone, however, this doesn't mean that you shouldn’t have any documentation in place. The documentation we will mention below will help support your implementation of NIST SP 800-171 security requirements.
Documentation You Should Have:
- System Security Plan
- Plan of action and milestones
- Hardware Inventory
- Software Inventory
- Information Security Policy
- IT Acceptable Use Policy
- Configuration Management Plan
- Information System Contingency Plan
- Business Impact Analysis
- Incident Response Plan
- Physical/Environmental Protection Plan
- Security/Risk Assessment Plan
- CUI Handling Procedures
- IT Standard Operating Procedures
- Access Control Matrix or similar
Other Documentation Considerations
The above mentioned items are policy, planning, and procedure documents however you still need a method of documenting everyday actions that involve the use of your information system. By this we mean documenting incidents in incident reports, documenting the destruction of hard drives and other media in a certificate of sanitation, documenting changes to the information system in a change request form, and documenting visitor access to your facility. Then there are other items that should be documented such as the creation of user accounts, onboarding new employees, and vulnerability scans. Using an IT ticketing system or similar is a good method to document these.
Where Can I Get These Templates?
Subscribers to Cub Cyber’s Compliance Accelerator app have the ability to download the documentation templates mentioned above at no additional cost to the subscription.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance