Looking for some advice!
We are bidding on a contract that is with a gov agency that's asking for NIST 800-53 low qualifications. Going through the document, I can say that my little It group of 3 people I am probably mostly following the guide mainly because I came from a company that followed these rules (before they even existed). But there is so much *documentation*, *auditing* and *tracking* required that simply put, a small company just does not have the man power to manage. While I know that once a quarter I myself take care of just about everything they list. So where does one start to be able to say "Ya I'm 100% NIST 800 low"? Does one hire a consultant to audit or send their people out for long training class's? After that, how does a small company deal with all of the new "paperwork"?
For example, I don't have lists of "access" to my VDI systems however I sure as heck have an AD security group that restricts its use to the number of licenses I have.
etc..etc..etc...
