September 13, 2022
NIST 800-171 Basic Assessment – Complete Guide
Table of Contents
- What does NIST 800-171 cover?
- What is the NIST 800-171 Basic Assessment?
- Do I need to conduct a NIST 800-171 Basic Assessment?
- What is the NIST 800-171 DoD Assessment Methodology?
- What is the Supplier Performance Risk System (SPRS)?
- How does the NIST 800-171 Basic Assessment relate to the CMMC?
- What steps can I take to conduct a NIST 800-171 Basic Assessment?
- How does SaltyCloud help with CMMC?
Central to the Cyber Security Maturity Model Certification (CMMC) is NIST 800-171. The NIST 800-171 Basic Assessment is a low-confidence self-assessment conducted following the NIST 800-171 DoD Assessment Methodology. As of November 30, 2020, all DoD contractors must conduct a NIST 800-171 Basic Assessment and submit their score to the Supplier Performance Risk System (SPRS). While it is a requirement, the NIST 800-171 Basic Assessment also serves as a North Star for contractors looking to be certified, helping them identify gaps and plan for remediation. This comprehensive guide covers everything you need to know about NIST 800-171, the NIST 800-171 Basic Assessment, the NIST 800-171 DoD Assessment Methodology, and the steps you can take to build a scalable, evidence-driven compliance process to prepare for certification.
NIST 800-171 covers recommended security practices (also known as security controls) for protecting the confidentiality of Controlled Unclassified Information (CUI) outside of nonfederal information systems and organizations. 110 security practices across 14 controls comprise NIST.
NIST 800-171 Control Families
Who has access to CUI, and are they supposed to have access?
Awareness and Training
Are employees who handle CUI adequately trained to treat CUI?
Audit and Accountability
Are records kept of who is accessing CUI, and can violators be tracked?
How are networks and safety protocols built and documented?
Identification and Authentication
What users have access to CUI, and is their access managed?
What is the process in the event of a data breach, and how are appropriate parties notified?
What timeline exists for maintenance, and who is responsible?
How are digital and physical records safely stored and destroyed?
How are employees screened before gaining access to CUI?
Physical and Environmental Protection
Where do you physically house CUI, and is access monitored and restricted?
Are risks periodically assessed, and are remediation plans created and enforced?
Are security controls regularly assessed for effectiveness, and are remediation plans created and enforced?
System and Communications Protection
Is information regularly monitored and physically and logically separated from other internal networks?
System and Information Integrity
How quickly are possible threats detected, identified, and remediated?
The NIST 800-171 Basic Assessment is a self-assessment of NIST 800-171. It is based on a review of the System Security Plan (SSP) associated with the covered contractor information system(s) and conducted per the NIST 800-171 DoD Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.” The NIST 800-171 Basic Assessment score results in a “Low “confidence level because it is a self-generated score. Assessments performed by DoD-designated third parties result in higher confidence levels.
Yes, if you are part of the Defense Industrial Base (DIB). Per the DFARS Interim Rule, as of November 30, 2020, the DoD includes two new DFARS clauses in DoD contracts, which will require that contractors perform the NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS), among other documents, as a condition for contract award. The DoD will ask some contractors to conduct a NIST 800-171 Medium Assessment or High Assessment, conducted by DoD personnel trained following DoD policy and procedures. The DoD conducts these assessments in-person or virtually to assess whether a contract physically implemented the controls.
The NIST 800-171 DoD Assessment Methodology is a scoring system that allows the DoD to strategically assess a contractor’s implementation of NIST 800-171. The methodology is used for assessment purposes only and does not add any additional controls.
You score a NIST 800-171 Basic Assessment on a 110-point scale. Each of the 110 security practices in NIST 800-171 is assigned a “weighted subtractor” value. If you implement a practice, you get a certain amount of points, with a 110 as a perfect score. Suppose you did not implement the control or only partially implemented the practice. In that case, you get a fraction of the points or subtracted points altogether, which means a negative score is possible. Some practices are worth 5 points, some 3, and some 1. The DFARS Interim Rule does not require contractors to achieve a specific score. It only requires them to provide a score. However, it is unclear if and how acquisition officers might use the scores in best value determinations for contract awards and whether it will change once the CMMC final rulemaking is complete.
|Yes||Include a statement in the Security Assessment Report (SAR) and SSP explaining how the information system implements the requirement.|
|No||Include a statement in the SAR that explains why the security requirement is not met. Include a statement in the Plan of Action & Milestones (POA&M) which fully describes how the control will be met, how planned improvements will be implemented, and when the improvements will occur.|
|Partially||Include a statement in the SAR that explains why the security requirement is only partially met. A statement should also be included in the POA&M, which fully describes how the control will be met, how planned improvements will be implemented, and when the improvements will occur.|
|Does Not Apply||Include a statement in the SAR that explains why the security requirement does not apply to your operational environment.|
|Alternative Approach||Include a statement in the SAR the SSP that fully describes the alternative approach, how it is equally effective, and how the information system implements the requirement.|
The SPRS is a portal and database that will house all supplier and product performance information (PI) assessments for the DoD acquisition community to identify, assess, and monitor unclassified performance. More specifically, it’ll be where contractors will submit their NIST 800-171 Basic Assessment scores and other documentation related to their contracts. Contractors will be able to update their scores as they improve over time.
Conducting a NIST 800-171 Basic Assessment is an interim requirement during the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC). However, conducting a NIST 800-171 Basic Assessment will continue to be a requirement for CMMC Level 1 and CMMC Level 2 certifications once rulemaking is finalized. And to be certified at CMMC Level 2 and CMMC Level 3, contractors must meet all 110 security practices outlined in NIST 800-171. While conducting a NIST 800-171 Basic Assessment is a requirement, and it is also a tool to help contractors identify gaps and prepare for certification.
Conducting a NIST 800-171 Basic Assessment can be challenging, depending on your environment’s complexity. Your goal should be to establish a scalable and evidence-driven assessment process within your organization. Doing so will help you get one step closer to certification and be prepared as the requirements evolve.
Read the official publications
If you haven’t already, read through the official NIST Special Publication (SP) 800-17a, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which presents all 110 security practices. Additionally, you should read through NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” which further provides “assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements.” For contractors who don’t have the technical expertise in-house, it is recommended that you work with a Registered Provider Organization (RPO) to help you through this process.
Identify the right people
Identifying and working with the right people across your organization will be critical when conducting a NIST 800-171 Basic Assessment and preparing for certification. These individuals should be people who have a stake over an awarded contract, such as a project lead, and the IT personnel who manage asset inventories, network infrastructure, cybersecurity, privacy, etc., for these parts of the organization. This may include individuals across teams and geographies, depending on the complexity of your organization. It would help if you created secure communication channels between these individuals and set up meetings to align on the upcoming self-assessment.
Scope your organization
Aligning your entire organization with NIST 800-171 may be unimaginably expensive and technically impossible. For this reason, you should work with the appropriate individuals to track the flow of FCI & CUI. Doing so will allow you to isolate the parts of your organization that handle sensitive information, making it much more feasible and cost-effective to implement security practices, manage compliance, and get certified.
Conduct the NIST 800-171 Basic Assessment
Together with your team, you’ll proceed to conduct the NIST 800-171 Basic Assessment. The fastest way to start, albeit least efficient and secure, is by taking all 110 security controls and documenting whether they are implemented, partially implemented, or not implemented using a spreadsheet or document. This process might be as simple as meeting with the relevant individuals (e.g., project leads, IT personnel, etc.) and asking them to provide an answer and any evidence (e.g., policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results, legal requirements, etc.). Depending on the number of contracts your organization holds and its scope, you may need to conduct multiple self-assessments for those individual sections of your organization. The more efficient way of undertaking this process is to use a lightweight CMMC assessment platform that can help you manage any number of NIST 800-171 Basic Assessments across your organization and provide an efficient, secure, and centralized repository for all collected evidence.
Calculate an SPRS score
Once you’ve completed your NIST 800-171 Basic Assessment, you can continue scoring it using the NIST 800-171 DoD Assessment Methodology. If you’ve built your own spreadsheet, you’ll want to create a formula that scores your self-assessment using the weighted subtractor values. While this score may not be perfect, it is the score that you should submit to the SPRS. If you’re using a lightweight CMMC assessment platform, it should automatically calculate a score for you after you complete your NIST 800-171 Basic Assessment.
Create a POA&M
Next, you’ll want to take all the security practices that you marked as “Partially Implemented” or “Not Implemented” and create a POA&M. Although you technically don’t need to submit your POA&M for a NIST 800-171 Basic Assessment (yet), you are still technically required to create one. And for contractors looking to get certified, the POA&M will not only be required but necessary to successfully remediate any gaps and achieve a near-perfect score to be certified by a C3PAO or government-led assessors. f you’re using a lightweight CMMC assessment platform, it should automatically export a POA&M based on your completed NIST 800-171 Basic Assessment with attached remediation guidance.
Whether you’re vying for a simple CMMC Level 1 certification or a comprehensive CMMC Level 3 certification, the NIST 800-171 Basic Assessment will be a mainstay in your evolving compliance process. You’ll want to establish a repeatable, efficient, and scalable approach that allows you to conduct self-assessments continuously, ensuring your organization is compliant and on track with the evolving cybersecurity requirements from the DoD.
No matter the size or function of your organization, Isora GRC from SaltyCloud, the Lightweight GRC Assessment Platform, helps Department of Defense (DoD) contractors fast-track CMMC compliance and certification. It scales with your business and includes preloaded NIST 800-171 and NIST 800-172 questionnaires that make it easy to launch a self-assessment right out of the box for any number of business units or enclaves. Isora GRC helps you break away from the complexities of manual processes and legacy software solutions, streamlining your ability to collect evidence, identify gaps, and keep track of compliance. That means your team is more efficient, and your organization keeps up with the evolving regulations from the DoD.
The NIST 800-171 Basic Assessment is a crucial component of CMMC and isn’t going anywhere. As of November 30, 2020, the DoD requires the entire Defense Industrial Base (DIB) to conduct a NIST 800-171 Basic Assessment and submit a calculated score using the NIST 800-171 DoD Assessment Methodology into the SPRS.
The DFARS Interim Rule came into effect on September 29, 2020, and it affects Higher Education Institutions that conduct DoD-sponsored research
The Department of Defense has released CMMC 2.0, introducing several new updates. Here are the six key takeaways contractors need to know
This complete CMMC guide will review everything contractors need to know about CMMC, including its structure, requirements, and certification process.
Scoping FCI & CUI is a necessary step to make NIST 800-171 & CMMC compliance more feasible and cost-effective. Read the Complete Scoping Guide.
NIST 800-171 Basic Assessment – Complete Guide
This comprehensive guide covers everything you need to know about the NIST 800-171 Basic Assessment and the steps you can take to build a compliance process.
Getting CMMC certified takes time and preparation. This guide covers the five practical steps to go from zero to certified