NIST 800-171 PRE-ASSESSMENT QUIZ

Government Contract Clauses for Cybersecurity

1. Have you implemented a security program that aligns with and fulfills all the cybersecurity responsibilities outlined in your DD254 and/or the Statement of Work section of your government contract?

Security Policies

2. Do you have comprehensive cybersecurity policies in place, and do you regularly review and update these policies to ensure they align with business practices, address emerging threats, and adhere to regulatory mandates?

Data Classification

3. Have you established a systematic process to identify, classify, mark, and track government-sensitive data within your organization?

Data Flow

4. Have you identified the systems in your environment (aka "Inventory Management") that handle government-sensitive data, including those involved in its storage, transmission, and processing (including Cloud Service Providers and Managed Service Providers)?

Access Control

5. Do you have a process to approve access to systems and data containing government-sensitive data restricted to authorized personnel?

6. Is there a regular review of user access privileges?

Awareness and Training

7. Have you implemented training programs to enhance the awareness and skills of personnel responsible for safeguarding government-sensitive data?

8. Have you established a regular frequency for conducting security awareness training and security role-specific training within your organization?

Audit and Accountability

9. Are you actively monitoring the system responsible for handling sensitive data for events that could signal a compromise or abnormal activity?

10. Have you instituted a process to investigate alerts generated by potential malicious events?

11. Are incidents promptly identified, analyzed, and reported?

12. Do you have systems in place for continuous monitoring of your network and information systems?

Configuration Management

13. Do you manage configurations for IT systems (such as standard and secure baselines, software whitelist/blacklist & ports/protocols/services) to ensure standardized and measurable performance?

14. Have you set up a procedure to monitor, assess, and approve modifications to systems involved in handling government-sensitive data?

15. Have you defined a regular frequency for monitoring and auditing these changes?

Identification and Authentication

16. Have you implemented measures to confirm and approve the identities of individuals accessing systems containing government-sensitive data?

17. Is multi-factor authentication (MFA) implemented for access to sensitive systems and data?

Incident Response

18. Do you have a well-defined incident response plan outlining procedures for responding to cybersecurity breaches?

19. Do you regularly test your incident response procedures, and do you integrate improvements based on the outcomes of these testing exercises?

Maintenance

20. Do you have processes in place to ensure regular maintenance of IT systems, addressing and patching security vulnerabilities?

21. Do you have mechanisms in place to monitor and maintain IT systems, to ensure continuous functionality?

Media Protection

22. Do you have policies and procedures governing the handling, storage, and transportation of physical media containing government-sensitive data?

23. Do you implement encryption of physical media to protect government-sensitive data?

Personnel Security

24. Have you implemented measures to vet, authorize, and approve employees, contractors, and vendors with access to government-sensitive data?

25. Have you established a frequency for reviewing and updating personnel access, ensuring that it aligns with the necessary security measures?

Physical Protection

26. Do you have protections in place for portable workstations, laptops, mobile devices, servers, and data storage areas to prevent theft or damage?

Risk Assessment

27. Do you frequently conduct risk assessments to evaluate potential risks to personnel, systems, and information?

28. Do you review controls for adequacy?

29. Do you record risk assessment results and the subsequent actions taken based on its findings?

Security Assessment

30. Do you conduct security assessments, encompassing both logical and physical security control measures, to verify their alignment with objectives?

31. Do you have processes in place to refine and update security control measures based on the outcomes of security assessments?

System and Communications Protection

32. Have you implemented network security measures to protect against unauthorized access and cyber threats?

33. Have you incorporated encryption to safeguard CUI during transmission and storage?

34. Do you have protocols for securely managing encryption keys?

35. Have you verified that the encryption modules employed for the transmission and storage of sensitive data adhere to FIPS 140-2 validated algorithms?

36. Have you implemented essential technical controls, such as firewalls, antivirus, and intrusion detection systems?

37. Are these controls regularly updated and monitored for effectiveness?

System and Information Integrity

38. Have you instituted mechanisms to guarantee the integrity of systems and the data they process, preventing both malicious and accidental alterations?

39. Do you have procedures in place for monitoring and maintaining the integrity of information systems and the data they handle?

Vendor Management

40. Do you evaluate and ensure that third-party vendors handling government-sensitive data meet security requirements?

Compliance Records

41. Do you maintain detailed records demonstrating compliance with cybersecurity regulations (such as System Security Plan, Diagrams, Training Records, other evidence artifacts)?

42. Can you readily produce documentation for audits or regulatory reviews?