I work for a large US public university which is also an R1 research institution. We recently completed an RFP for a SAM tool and selected a vendor. However, our IT security office performed a review and informed us that the vendor was not NIST 800-171 compliant to their satisfaction. Their review was quite thorough. In their denial, they indicated “we recommend pursuing a product compliant with NIST 800-171 that will not pose a heightened risk to our organization”.
Are you aware of any SAM products that are NIST 800-171 certified or have passed your organization’s security review that includes a review of NIST 800-171 compliance?
I have reviewed marketing material for several SAM products and some claim to be compliant with NIST standards but I cannot find any that state they are “certified” (I think maybe NIST 800-171 relies on self-certification) and they don’t necessarily cite 800-171 compliance. And while some products may ultimately be found that would satisfy our security office for NIST 800-171 compliance, it would take an exhaustive review on each one and require the vendor’s cooperation and we do not have the capacity to do that.