SOS GAP Assessment SOS GAP Assessment The NIST 800-171 cyber security compliance is required by all primary and sub contractors doing business with the Federal Government's Department of Defense (DOD). The following assessment will help gauge your current standing with this requirement.Note: CUI is short for Controlled Unclassified Information. If you’re not familiar, “Controlled Unclassified Information” (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors) often process, store, or transmit CUI. First Name Last Name* Email*Section 1: Access ControlThis section will gauge the way in which individuals can view or use resources in your organization’s computer network. 1. Do your company’s computer systems limit use of them and access to resources such as files, email and the Internet to only authorized users?*YesNoNot SureOther 2. Does your company restrict access to files and resources based on the employee?*YesNoNot SureOther 3. Is the hand-off of CUI approved and logged every time?*YesNoNot SureOther 4. Are employee duties separated (to avoid accidental security breaches)?*YesNoNot SureOther 5. Are computer users setup with “least privilege” with only the minimum access needed to do their work?*YesNoNot SureOther 6. Are computers setup with guest accounts that are used when performing not secure related activities?*YesNoNot SureOther 7. Do you have different accounts with Administrator and non-Administrator access and is Administrator activity logged?*YesNoNot SureOther 8. Is there a limit to unsuccessful computer logon attempts?*YesNoNot SureOther 9. Does your company send written and electronic privacy and security notices to staff, vendors and customers (as they apply to CUI rules)?*YesNoNot SureOther 10. Do your computers, phones, tablets and office equipment lock their screens after a short period of time of not being used?*YesNoNot SureOther 11. Are users automatically logged out of their systems or devices after a period of time?*YesNoNot SureOther 12. Can the activities of those working remotely be monitored and remotely controlled?*YesNoNot SureOther 13. Are the connections made by remote workers to the office or remote services (such as the cloud) encrypted?*YesNoNot SureOther 14. Do remote workers connect to the office using a device that is professionally managed (such as a VPN server or firewall)?*YesNoNot SureOther 15. Can remote workers only access files and perform activities restricted to their security level?*YesNoNot SureOther 16. Are only certain employees allowed to connect to it using the wireless?*YesNoNot SureOther 17. Is the office wireless protected with a password and encryption?*YesNoNot SureOther 18. Are only approved apps allowed on mobile devices, is 2 factor authentication enabled (pin/biometric) and can they be wiped remotely?*YesNoNot SureOther 19. Have all of the company’s mobile devices including smartphones, tablets and laptops been encrypted?*YesNoNot SureOther 20. For “external information systems” (such as personally owned devices like phones and laptops) that are in use outside of the office, is access to them controlled and monitored?*YesNoNot SureOther 21. Are the use of external portal devices such as USB sticks and external hard drives restricted on these “external information” systems?*YesNoNot SureOther 22. Is there a designated individual who is authorized to post information on the Internet (such as websites, forums, social media, etc.)?*YesNoNot SureOtherSection 2: Awareness and TrainingThis section will gauge how well employees are formally trained on security awareness. 23. Have all employees who use computers and handle CUI been trained and receive ongoing training of security risks associated with their activities? This includes applicable policies, standards, and procedures related to the security of the company’s computers, data and private information.*YesNoNot SureOther 24. Have staff been trained and receive ongoing training related to their role as it pertains to security-related duties and responsibilities in the organization? (eg. office manager vs. office administrator)*YesNoNot SureOther 25. Have staff been trained and receive ongoing training on how to recognize and report potential indicators of insider threat?*YesNoNot SureOtherSection 3: Audit and AccountabilityAuditing can help prevent large-scale security related incidents by making all staff members accountable for their actions. 26. Are logs from workstations, servers and network equipment saved for monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity?*YesNoNot SureOther 27. Are there reports of employee activity on computers and mobile devices to ensure that they can be held accountable for their actions?*YesNoNot SureOther 28. Does someone review logs regularly for anything unusual?*YesNoNot SureOther 29. Is there a process for submitting a notice when any problems are found with logs?*YesNoNot SureOther 30. Does your organization receive reports showing user activity on their computers and on-line?*YesNoNot SureOther 31. Do your computers and network equipment synchronize their clocks to make sure that their time is always correct?*YesNoNot SureOther 32. Are computer users prevented from removing or changing software that may audit or protect their systems?*YesNoNot SureOther 33. Can only certain users remove or change software that may audit or protect computer systems?*YesNoNot SureOtherSection 4: Configuration ManagementThis section focuses on establishing good procedures to keep your computer network secure and reliable throughout its lifetime. 34. Does your organization have and maintain documentation of your IT systems, including hardware, software, firmware, configurations, and life cycles?*YesNoNot SureOther 35. Does your organization have and maintain documentation of the security configurations of all your IT products such as firewalls, printers, servers, etc?*YesNoNot SureOther 36. Are changes to security analyzed for impact prior to being made?*YesNoNot SureOther 37. Does your organization define, document, approve, and enforce physical and logical (computer) access restrictions and update staff and documentation when it is changed?*YesNoNot SureOther 38. Do staff members have only minimal access to computers, files and network resources (such as printers, email and internet) that is required for their position?*YesNoNot SureOther 39. Are computers and network related equipment setup to disable and prevent the use of nonessential programs, functions, ports, protocols, and services?*YesNoNot SureOther 40. Is there a policy in place that allows only approved software to be installed on computer workstations, servers and technology devices (such as tablets and smart phones)?*YesNoNot SureOther 41. Is the installation of software on technology devices monitored and logged?*YesNoNot SureOtherSection 5: Identification and AuthenticationIn this section your organization's ability to correctly identify staff members on the network and securely give them access to their systems is evaluated. 42. Can employees actively using company computers or mobile devices be easily identified and tracked in real-time?*YesNoNot SureOther 43. Can employees actively using company computers or mobile devices have their identity verified, ensuring that no other employee or criminal is using their login credentials?*YesNoNot SureOther 44. Do all computers and mobile devices use multi-factor authentication (MFA), such as a password and a text message, a fingerprint or keycard, both for users who do and do not work with CUI?*YesNoNot SureOther 45. Do employees get locked out of their phone or computer if they enter an incorrect password too many times?*YesNoNot SureOther 46. Can the same username be used again later to log into a computer (can login names be re-used)?*YesNoNot SureOther 47. Are unused user accounts disabled regularly?*YesNoNot SureOther 48. Are complex passwords enforced across the organization (eg. upper-case and lower-case letters, minimum of 7 characters, symbols, numbers, etc.)?*YesNoNot SureOther 49. When changing a password, can users change them to a password that they used in the past?*YesNoNot SureOther 50. Can users be issued a temporary password and when they log in, are immediately asked to change their password to a permanent one?*YesNoNot SureOther 51. Are passwords encrypted before being transmitted across the network?*YesNoNot SureOther 52. When passwords are entered, are only *s shown in the space where the password is being entered?*YesNoNot SureOtherSection 6: Incident ResponseThis section gauges your organization’s ability to address and manage the aftermath of a security breach or cyber attack. 53. Does your organization have a written plan that outlines preparation, detection, analysis, containment, recovery, and details employee response to a data breach or cyber incident?*YesNoNot SureOther 54. Does your organization have a way to track, document, and report a data breach or cyber incident to company staff, vendors and government authorities?*YesNoNot SureOther 55. Does your organization run regular drills to test your response to a data breach or cyber incident?*YesNoNot SureOtherSection 7: MaintenanceThis section evaluates your organization’s maintenance procedures as they are essential to keeping your devices running smoothly and securely. 56. Is preventative maintenance such as software and firmware updates being performed on your computer systems?*YesNoNot SureOther 57. Is maintenance scheduled and performed regularly?*YesNoNot SureOther 58. Is CUI removed from computer equipment before conducting any off-site service or maintenance?*YesNoNot SureOther 59. Is media such as CDs, DVDs, external hard drives and flash drives checked for malicious code before being used on computer equipment?*YesNoNot SureOther 60. Does your system require multifactor or 2-step authentication in addition to a password (such as a fingerprint, keycard or text message) for anyone who connects to the office remotely?*YesNoNot SureOther 61. Are the technicians supervised while performing maintenance on company systems that may have access to CUI?*YesNoNot SureOtherSection 8: Media ProtectionThe following questions will evaluate how well your organization protects CUI from being compromised by portable storage devices. 62. Does your organization protect both digital and paper CUI by securely storing physically and controlling access to it?*YesNoNot SureOther 63. Does your organization limit access to digital and paper CUI to authorized users only?*YesNoNot SureOther 64. Does your organization sanitize or destroy all computer and computer related equipment and media containing CUI before disposal or release for reuse?*YesNoNot SureOther 65. Is media such as CDs, DVDs, external hard drives and flash drives labeled with necessary CUI markings and distribution limitations?*YesNoNot SureOther 66. Is there controlled access to media (such as CDs and DVDs) that contain CUI and have a process for accountability when it is transported outside of a controlled area?*YesNoNot SureOther 67. When media containing CUI is transported outside of a controlled area, is encrypted or otherwise protected by an alternative physical safeguard?*YesNoNot SureOther 68. Is the use of removable media such as CDs, DVDs, external hard drives and flash drives restricted to only on the systems which require it?*YesNoNot SureOther 69. Are the use of portable storage devices such as external hard drives and flash drives prohibited when they have no identifiable owner?*YesNoNot SureOther 70. Is the CUI that is being backed up protected in a manner that protects its confidentiality?*YesNoNot SureOtherSection 9: Personnel SecurityThis section will gauge your organization’s set of policies and procedures and evaluate the risk of insider threats, exploiting legitimate access for unauthorized purposes.Custom HTML8871. Does your organization run criminal background checks on individuals who will have access to CUI? *YesNoNot SureOther72. Is there a process in place that ensures that computers/tablets/phones with access to CUI is secured after an employee leaves the company? *YesNoNot SureOtherSection 10: Physical ProtectionThis section will evaluate your organization’s security measures and how effective they are with denying unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm such as espionage, theft or terrorist attacks.Custom HTML9573. Is physical access to computers, equipment and any other place that might have access to CUI restricted to allow only authorized individuals? *YesNoNot SureOther74. Is this physical space monitored and protected by security cameras and access control systems such as keypads, ID cards, electronic locks, etc? *YesNoNot SureOther75. Are visitors escorted and recorded on camera while they are at the workplace? *YesNoNot SureOther76. Is a log, such as a sign-in sheet kept of physical access by visitors and staff? *YesNoNot SureOther77. Does your organization have a safe way to protect physical access devices such as keys, locks, combinations and card readers? *YesNoNot SureOther78. Are there procedures and safeguards (such as camera systems, logs and physical access devices) at remote work sites? *YesNoNot SureOtherSection 11: Risk AssessmentThe following questions will help to identify if actions are being made by your organization to protect its reputation, assets and individuals.Custom HTML9979. Does your organization periodically take an assessment of its risk to an incident such damage to reputation, assets, individuals, and the implications of a data breach? *YesNoNot SureOther80. Are regular vulnerability scans performed on computer systems? *YesNoNot SureOther81. Are the vulnerabilities found in these scans quickly fixed? *YesNoNot SureOtherSection 12: Security AssessmentThe following questions will help to identify if actions are being made by your organization to protect the confidentiality and integrity of your computer systems.Custom HTML10382. Are the security measures put into place to protect CUI reviewed periodically via a security assessment? *YesNoNot SureOther83. Are action plans assembled after security assessments that include plans of action with milestones to correct deficiencies and vulnerabilities? *YesNoNot SureOther84. Are the security policies on computer systems monitored for changes to ensure they stay protected? *YesNoNot SureOtherSection 13: System and Communications ProtectionThis section will gauge your organization’s ability to monitor networks communications, access to CUI and security policies that have been put in place.Custom HTML12085. Is communication between computers in the workplace and to the outside world monitored, controlled and protected? *YesNoNot SureOther86. Does your organization follow any best practices for industry standards with regards to information security? (i.e. architectural design, software development, systems engineering, etc.) *YesNoNot SureOther87. Are regular computer users prevented from performing system management (such as updating and installing system updates and programs)? *YesNoNot SureOther88. Are regular computer users blocked from transferring files to outside network sources that could be compromised (such as a personal Dropbox account or FTP site)? *YesNoNot SureOther89. If your organization’s computer network has servers that are publicly accessible, are they configured on a separate network from internal computers? *YesNoNot SureOther90. When a new device such as a computer is connected to the network, is it denied access to network resources and the internet by default? (the IT department has to give it access) *YesNoNot SureOther91. When users are working remotely and are securely connected to the office, are they unable to use their on-site network? *YesNoNot SureOther92. When accessing CUI from a computer or mobile device, is the communication encrypted? *YesNoNot SureOther93. Are computers and mobile devices logged off the network after a period of inactivity? *YesNoNot SureOther94. Are computers and mobile devices encrypted and the keys to decrypt them stored in a safe place? *YesNoNot SureOther95. Is CUI protected with encryption (FIPS-validated cryptography)? *YesNoNot SureOther96. Can collaborative computing devices such as networked white boards, cameras and microphones be turned on remotely? *YesNoNot SureOther97. When a website requests installation of software (such as ActiveX, Flash, Javascript, etc.) is a network administrator required to approve it? *YesNoNot SureOther98. If your organization uses VoIP phones, is voice traffic separated either physically or by configuration from computer traffic? *YesNoNot SureOther99. If your company has a website, is it secured with an SSL or TLS certificate? *YesNoNot SureOther100. If CUI is copied to an off-line backup (such as a external or tape drive), is it encrypted? *YesNoNot SureOtherSection 14: System and Information IntegrityThese questions will assess your organization’s ability to detect tampered or altered data by an employee or an outside party.Custom HTML128101. As computer software flaws are discovered and announced by manufacturers, are they updated and patched in a timely manner? *YesNoNot SureOther102. Are all computer systems (at the office or otherwise) protected by antivirus software? *YesNoNot SureOther103. As computer security problems are discovered and announced, are systems updated and patched in a timely manner? *YesNoNot SureOther104. Do all computer systems (at the office or otherwise) protected by antivirus software receive regular updates to their virus definitions? *YesNoNot SureOther105. Does the antivirus software scan computers regularly as well as inspect files (such as email attachments) in real time as they are downloaded? *YesNoNot SureOther106. Is the company’s firewall monitored to detect Internet attacks? *YesNoNot SureOther107. Is the company’s network monitored for any suspicious activity, both from inside the organization and from the outside world?YesNoNot SureOthertype_submit_reset_129Submit your resultsReset
