NIST 800-171/CMMC Gap Assessment and Policy Development

Totem Technologies will conduct a Security Assessment or “Gap Analysis” of your organization’s cybersecurity program against cybersecurity control sets such as NIST 800-171 and CMMC.
We’ll help you develop custom policies, personalized strategies, and a game plan that fits your small-to-medium-sized business needs.

What to Expect During the Assessment:

✔ The Security Assessment will take approximately 50 hours. This can be increased or decreased as needed. We understand that 50 hours is a lot of time to dedicate to an engagement like this, so we spread the assessment time over several weeks.

✔ Prior to the engagement, Totem will provide a security assessment preparation checklist as well as a spreadsheet listing the NIST SP 800-171 / CMMC controls as a “read-ahead” to familiarize your organization with the controls and requirements for compelling evidence.

✔ A cybersecurity engineer from Totem’s Cybersecurity Assessment Team will work with your staff members to review the information systems, policies, processes, and procedures that relate to your organization’s processing of Federal Government information.

✔ Totem manages the assessment in our proprietary Totem™ Cybersecurity Compliance Management tool.

What Your Organization Will Receive After the Assessment:

At the conclusion of Totem’s security assessment, your organization will receive the following deliverables:

System Security Plan (SSP) – an “artifact” required by the NIST SP 800-171 / Cybersecurity Maturity Model Certification (CMMC) controls. The SSP is the “blueprints” for your compliant cybersecurity program.
Security Assessment Report (SAR) in the Totem™ tool that details the current cybersecurity program’s strengths and weaknesses.
Plan of Actions and Milestones (POA&M) that contains the corrective action plans for your organization’s cybersecurity program. The POA&M is essentially the “cybersecurity get well plan”.
Various security policies and artifacts, such as employee acceptable use policy statements, incident response plan, risk assessment, etc., to act as “compelling evidence” of the cybersecurity program implementation.
The Totem™ tool is also used to generate an SPRS score for your organization in accordance with the DoD 800-171 Assessment Methodology.

For an overview of the DoD NIST 800-171 Assessment Methodology, check out this blog.

Not Sure Where to Start?
Try our Totem Top 10™ Gap Assessment

If you feel like your organization should be “doing cybersecurity”, but you’re not sure where to start, we also offer an abbreviated gap assessment against our Totem Top 10™. The Totem Top 10™ are our recommendations for how any organization of any size in any industry should kick off a program to protect its IT assets.

Here’s what Totem customers have to say:

"I have worked with the Totem team on multiple gap assessment and SSP development projects and my experience has always been the same: they are professional, knowledgeable and genuinely care about growing the cybersecurity posture of SMBs."

Aaron Freiheit

Karman Space & Defense

"The Totem Technologies team was with us every step of the way on our journey towards CMMC compliance. Adam and Nathan have answered every question and addressed every concern. They worked with our corporate team to find cybersecurity solutions that work and make sense for our organization. We are a small disadvantaged, minority business enterprise, and Totem has helped give us a leg up on our cybersecurity capabilities so that we can remain competitive in the DoD Information Technology industry."

Joseph McIntosh

Suhdutsing Staffing Services