What Documentation Should You Have for NIST SP 800-171?

A cybersecurity program isn’t a real cybersecurity program until it has documentation in place that records policies, plans, and procedures. With the announcement of CMMC 2.0, maturity levels and processes are now gone, however, this doesn't mean that you shouldn’t have any documentation in place. The documentation we will mention below will help support your implementation of NIST SP 800-171 security requirements.

• System Security Plan
• Plan of action and milestones
• Hardware Inventory
• Software Inventory
• Information Security Policy
• IT Acceptable Use Policy
• Configuration Management Plan
• Information System Contingency Plan
• Business Impact Analysis
• Incident Response Plan
• Physical/Environmental Protection Plan
• Security/Risk Assessment Plan
• CUI Handling Procedures
• IT Standard Operating Procedures
• Access Control Matrix or similar

The above mentioned items are policy, planning, and procedure documents however you still need a method of documenting everyday actions that involve the use of your information system. By this we mean documenting incidents in incident reports, documenting the destruction of hard drives and other media in a certificate of sanitation, documenting changes to the information system in a change request form, and documenting visitor access to your facility. Then there are other items that should be documented such as the creation of user accounts, onboarding new employees, and vulnerability scans. Using an IT ticketing system or similar is a good method to document these.

Subscribers to Lake Ridge’s Compliance Accelerator app have the ability to download the documentation templates mentioned above at no additional cost to the subscription.