cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rhall
Newcomer I

NIST 800-171, DFARS and CMMC - recommended tools

I'll be honest, it's getting ridiculous for me now many different compliance requirements are now affecting the company I work for. Don't get me wrong I'm all for good security controls and compliance but the issue I'm finding is that almost every different customer has their own cyber security control set we have to show compliance with. Now with the added CMMC requirements coming my way its becoming unmanageable the spreadsheet and word document way, but as a small business I don't have a huge budget at my disposal for spending on software tools to help with time-saving efficiencies.

 

Are any of you able to recommend a reasonable product that could be used for NIST 800-171 and CMMC pre-assessment preparation - risk assessments, controls gap analysis, preparing SSP's, POAMs, self assessment and recording evidence, scoring based on risk weightings etc.? So far all the products I've researched are after an exorbitant amount of money. CMMC as a buzzword seems to have joined a list of other terms like 'Risk' where vendors immediately add zeros to the end of the price, pricing based on the risk reduction rather than the value added and time saved compared to using conventional desktop office applications.

 

I'm looking forward to and interested to hear your thoughts on what solutions you use and what works well for you with regard to managing your cyber GRC.

3 Replies
tmekelburg1
Community Champion

I recently watched a webinar from KnowBe4 on their GRC platform and was impressed with how customizable I could get with it. As we mature in GRC, Word and Excel docs just don't cut it anymore. Their Phishing Platform is reasonably priced, so I'd imagine this one is as well.

 

https://kcmgrc.knowbe4.com/

 

 

rhall
Newcomer I

Thank you for the tip, I hadn't seen this product before.

 

Unfortunately having checked their pricing this is prohibitively expensive similar to some of the other solutions I've found - it works out approx. $10,000 per year even though I only need one user/seat (for me).

sventester
Newcomer II

I went through the same pain and ended up making my own system that I'm actively using for risk assessments and controls gap assessments (for myself and other clients).

 

Could you state your main pain points? I might be able to help you automate some of it.