As part of your organization's NIST SP 800-171 and CMMC Level 2 compliance requirements, you must ensure your organization secures and protects key connections and critical system points, as well as scanning your system for security vulnerabilities.
Security Assessments should not be confused with vulnerability scanning. Vulnerability scanning is an automated process involving specialized software and is only one part of the overall Security Assessment. To conduct the vulnerability scan, your organization will need to invest in either scanning software, or a third-party who provides the scans. The correct choice is dependent on the size of and complexity of your organization. For instance, does your organization possess the technical expertise to both select a software solution, implement, and run the scanning software, and then accurately interpret and correct vulnerabilities detected? Businesses who do not possess this expertise or for whom the cost of purchasing specialized software is prohibitive are better off partnering with a third-party expert.
The Security Assessment will go beyond the simple snapshot of the vulnerability scan. Experts will manually review your systems topology, architecture, software, hardware, and configurations looking for additional vulnerabilities. This review is also part of the process where your organization will be able to identify your authorized users, programs, processes, and other pieces of infrastructure, you are required to keep secure. For example, identifying the correct location for a firewall, or demonstrating a CUI enclave is secure, require a Security Assessment.
By the end of the Security Assessment, you will have identified key and critical junctures in your system that need to be protected, checked on both technical vulnerabilities, as well as checking on configuration errors, and assessing the security of your system architecture and configurations.
Conducting a Security Assessment is a big task and requires personnel with the appropriate expertise and experience. Assessor independence is key to allow for an unbiased assessment. Often organizations will outsource this assessment, both to maintain independence, and to get a fresh, outside perspective. Our experts at SherTech will help your organization understand both your current environment, and the steps you need to take, both to achieve compliance, but also to improve your security, eliminate inefficiencies, and optimally allocate resources to provide you the best, most efficient, secure system for your organization’s needs.