r/NISTControls

Hello all!

Recently accepted a position to write SSP’s. Typically I’ve sat on the backend of listening into the meetings where one leads and asks the questions, I take the notes and details to write up implementation statements for each control and CE.. this new position calls for me taking the lead on asking the questions and collecting the information/data to again, write out the implementation statement write ups.

Would any of my fellow members here have resources to share that consists of questions to ask to make sure I’m collecting/gathering the right amount/appropriate information?

We are mid-journey on our CMMC Level 2 compliance and looking for some feedback on our tooling strategy.

Our Current Stack / Scope:

• CUI/FCI Enclave: PreVeil (storing/sharing all CUI and FCI).
• Identity & Endpoint: M365 Business Premium (utilizing Intune and Defender for Business).
• Network & Perimeter: WatchGuard T45 firewall with Total Security Suite, AuthPoint for MFA, and Advanced EPDR on the endpoints.

The Dilemma: We are looking at the WatchGuard Compliance Package (which includes automated NIST 800-171 control reports).

Is it actually worth paying extra for these automated compliance reports? Or should we just save the money and capitalize entirely on our Microsoft 365 Business Premium (Intune/Defender) capabilities and manually gather the firewall logs/evidence?

My gut tells me that since PreVeil is handling the CUI itself, the WatchGuard environment is essentially acting as a security domain that protects the endpoints accessing the enclave. Do automated reports from WatchGuard actually move the needle during a C3PAO assessment, or are they just expensive shelfware that duplicates what we can pull manually or through Microsoft?

Would love to hear from anyone who has gone through an assessment with a similar hybrid WatchGuard/Microsoft/PreVeil stack. Thanks!

I’m looking to validate a pattern I’ve seen in NIST-aligned compliance work, especially at companies under roughly $1B in revenue.

The problem is that GRC, security, and engineering often hold different parts of the same context, and the translation between them is weak.

A policy owner may need to document training, secure development practices, review cadence, control ownership, and evidence requirements. They go to engineering leadership for answers: what training is mandatory, how often it is refreshed, who owns it, and how completion is tracked.

Engineering may have real practices in place, but those practices often do not exist in the format compliance expects. A team may not have “Python training” because Python proficiency is part of hiring. Secure development may happen through code review, architecture review, internal standards, threat modeling, incident reviews, and senior engineer mentorship. Those mechanisms can be meaningful, but they are rarely written in a way that maps cleanly to NIST language or audit evidence.

The result is often generic policy: accurate enough to pass review, but too abstract to change behavior, which in my opinion NIST is what it's all about. It creates work for GRC, creates translation burden for engineering, and produces documents that describe obvious expectations instead of real operating practices.

I’m trying to understand whether this is a common, costly problem or just something I’m seeing in a narrow slice of organizations.

For those who have worked with NIST CSF, 800-53, 800-171, SSDF, or similar frameworks: have you seen this policy-to-engineering translation gap, and does it create enough recurring pain to be worth solving?

Anyone else use Yubikeys with the yubikey driver and have trouble with ECA?

My experience - yubikey minidriver does not work with HIDActiveClient. I need the minidriver since I have over 2 PIV certs loaded in it.

So I uninstall the active client, and yubikey works - but now I can’t use my ECA!

what are the implications of implementing a surveillance system of cameras for security monitoring requirements, the cameras at some point may be able to capture CUI does this automatically convert them into CIU assets?