Welcome to SOS NIST SP 800-171 Compliance Assessment. This assessment will take about 15 to 20 minutes to complete and will assist both SOS and your organization to better understand existing security gaps and compliance needs relative to NIST SP 800-171 security controls. You will receive your calculated compliance score shortly after submitting your answers. Thank you for taking the time to take this assessment!
Approximately, what is the total number of organization network users?
Do you have any employees that telework / work from home? If so, how many? (If none, select 0)
Do you have any employees that only work within government facilities? If so, how many? (If none, select 0)
Approximately how many workstations (laptops / desktops) are connected to the organization network?
Do you limit access to organization information based on employees roles and responsibilities?
Do you employ any type of centralized user authentication system such as Active Directory or LDAP for managing network accounts and group policies?
Do you employ least privilege access for network users (i.e. limit what users can do with their accounts based on their qualifications and responsibilities)?
Where is the organizational information / data primarily stored?
Do you need any data migration from local machines to network accounts? If so, approximately how many accounts require migration? (If none, select 0)
Do you limit administrative function to only a subset of users?
Do you limit unsuccessful log-on attempts to each workstation?
Do you enforce device session locks after a period of inactivity?
Do you implement any type of log management for monitoring system/device logs?
Do you have an isolated wireless network for guests and visitors?
Do you enforce WPA2 or Enterprise level encryption for your wireless network?
Do you allow mobile devices (smart phones and tablets) to access the network resources / corporate email?
If so, approximately what is the total number of mobile devices with ability to access corporate resources. (If none, select 0)
Do mobile devices with access to corporate email and/or network resources encryption enabled?
Do you enforce encryption at rest for all workstations (desktops/laptops) and servers?
What is the estimated number of workstations that are routinely removed from the organization for work related functions. (If none, select 0)
Do you have any policies regarding use of portable storage devices such as USB, CD/DVD/ external hard drive?
Do you provide periodic cybersecurity training for all users of the organization resources?
Do you conduct periodic network security audit and address deficiencies?
Do you employ any type of replay resistant (time-stamped) two-factor authentication (2FA) for network access?
If no 2FA is used, approximately how many network users need a 2FA solution? (If none, select 0)
Do you enforce minimum password complexity requirement?
Do you enforce password expiration?
Do you have both administrative and non-administrative accounts on each workstation?
Do you follow proper marking protocol for paper and/or digital media containing CUI?
Do you have a policy for proper storage or disposal of CUI containing media?
Do you conduct any type of employee background screening prior to granting access to sensitive organization information or CUI?
Do you employ logical access restrictions to organization information system?
Do you employ any type of physical access restriction to the organization information system?
Do you conduct periodic network vulnerability testing?
Do you have an up-to-date inventory list of corporate devices such as workstations, servers, printers, switches, etc.?
Do you perform periodic backup of corporate information?
Are all workstations (desktops/laptops) equipped with end-point protection?
Do you have any policies regarding escorting visitors and maintaining access logs?
Do you have any policies regarding cybersecurity incident response and management?