There are a number of different IT, cross border, cybersecurity system scenarios that can impact client requirements.  In most situations where compliance is explicitly required for the industry or sector of business, there are several different levels of compliance for different types of corporate customers.  We generally like to start with asking these questions of the potential client to narrow down the applicable NIST security requirements:

1. Regulatory and Compliance Context

• Are you subject to any specific regulatory requirements, such as FDA regulations, HIPAA, GDPR, or CCPA?
• Do you work with federal agencies or handle Controlled Unclassified Information (CUI) that would require compliance with NIST SP 800-171 or FISMA (Federal Information Security Management Act)?
• Are you a Department of Defense (DoD) contractor or subcontractor, potentially requiring CMMC certification?
• Do you manufacture or distribute medical devices? If so, do you comply with FDA cybersecurity guidelines (e.g., 21 CFR Part 11)?

2. Data Sensitivity and Handling

• What types of sensitive data do you handle (e.g., patient health data, intellectual property, clinical trial data)?
• Do you manage any data that is classified as CUI, such as research funded by government grants or sensitive supply chain information?
• How is sensitive data stored, processed, and transmitted within your organization?

3. IT and Security Environment

• What is the size and scope of your IT infrastructure, including on-premises systems, cloud platforms, and hybrid environments?
• Do you use third-party vendors or contractors for critical services, such as cloud storage, data analytics, or manufacturing processes?
• What security controls are currently in place, and have they been aligned with any frameworks like ISO 27001, NIST CSF, or CIS benchmarks?

4. Risk Management Practices

• Do you have an existing risk management framework in place, and if so, which one (e.g., NIST RMF, ISO 31000)?
• Have you previously conducted risk assessments or vulnerability assessments? If yes, what were the key findings or identified gaps?
• What is your organization’s risk tolerance level for cybersecurity threats?

5. Incident Response and Recovery

• Do you have an incident response plan, and is it aligned with NIST SP 800-61 or a similar standard?
• Have you experienced any cybersecurity incidents or breaches in the past? If so, how were they managed and resolved?

6. Supply Chain and Vendor Security

• Do you require your suppliers and vendors to meet specific cybersecurity standards (e.g., NIST SP 800-161 for supply chain risk management)?
• How do you assess and monitor the cybersecurity practices of your supply chain partners?

7. Business and Operational Context

• What are your primary business operations, and how are they supported by IT systems?
• Do you operate internationally, and if so, how do you manage cross-border data security and privacy requirements?
• Are you planning any major changes, such as adopting new technologies, mergers, or expansions, that could affect your security posture?

8. Organizational Awareness and Resources

• How familiar is your organization with NIST frameworks (e.g., NIST CSF, SP 800-53, SP 800-171)?
• Do you have an in-house cybersecurity team, or do you rely on third-party consultants or managed service providers?
• What is your budget and timeline for implementing a security risk management and assessment program?

Scheduling a consultation and coming prepared to answer some or all of these questions places clients into a positive and stakeholder inclusive position. While Sonar Cyber Security can determine all these answers it is vital for the stakeholders to take a role in the entire process, and for Sonar to have the support from the client in order to properly implement and safeguard cybersecurity into the future.