An Analyst Perspective: Sera-Brynn’s Report on NIST 800-171. Is Compliance Achievable?

NIST ReportSera-Brynn’s report, “Reality Check: Defense Industry’s Implementation of NIST SP 800-171. Keen insights from certified cybersecurity assessors,” was published in May 2019. If you didn’t have time to read it, it tells the story of an industry struggling to fully comply with the controls of NIST 800-171, which are required to protect sensitive Government data.

As featured in Inside Defense, the report shows:

“Defense Department contractors are struggling to meet the standards for protecting sensitive DOD information on their networks, as most companies fail to use key controls like multifactor authentication and incident response tests, according to a new report from cybersecurity auditing firm Sera-Brynn.”

One key finding from the report: We found that our data subjects, on average, had fully implemented only about 40% of the required NIST 800-171 controls.

This gives rise to some important questions about NIST 800-171 compliance. Is it doable? Is it possible?

Should we just throw our hands up and say meeting all the requirements is too hard?

Our analysts say NO.

In order to improve compliance posture you use an assessment to create a point-in-time look at how the security controls are implemented, as well as how risk determinations were made. The assessment should start with a risk assessment and include vulnerability scans. If you have not done a risk assessment, we’ll perform one with you. If you don’t perform regular scans on your systems, we’ll run those. We perform the “good kind” of assessments – not the “check-the-box” kind.

These assessments serve as a jumping off point for getting compliant. Once you understand where you are, our analysts will help you develop a way forward. We work with the organization to develop a detailed and tailor-made roadmap to compliance. In fact, this plan of action is one of the “big lifts” of the process. Why? Because clients and IT environments are unique. What works for Company A may work for Company B, but it might not. We take time to recommend solutions we know work and will work best for your environment. We know that if a company tries to implement cookie-cutter solutions to satisfy NIST controls, it could turn into a dumpster fire. And we don’t want that.

As one of our analysts put it, “We want to help companies move past SNAFU.”

Is compliance possible?

Our analysts say YES.

Many clients request that we re-assess them after they take time to implement the recommended solutions. Typically, this raised the average number of controls implemented from 40% to nearly 90%.

Generally, after re-assessments, only a small subset (2-5) of controls were not implemented. Many of our small business clients went from 5-10% implemented to 100% implemented — over the course of one year. Often, small businesses moved towards compliance faster. Larger organizations often struggled to fully implement all 110 controls in a short period of time due to the complexity of their environment.

In all cases, implementing NIST SP 800-171 requires times, deliberate decision-making, and resourcing solutions. It’s not easy, but it’s achievable.

About Sera-Brynn Analysts

Sera-Brynn’s expert and certified assessors and cyber engineers have experience operating in every type and level of environment — from micro to large businesses and non-profits, to higher education institutions, to agencies of the U.S. federal government. The NIST 800-171 assessment methodology we use is detailed in our report. It involves using all available guidance and resources to develop a plan of action to implement security controls in a way that’s the …

• Least painful
• Least expensive
• Most secure.

And if there was such a thing as “most compliant,” that would be on the list too.

Contact Sera-Brynn at or info@sera-brynn for more information.