NIST 800-171 Basic Assessment – Complete Guide

Table of Contents

  1. Introduction
  2. What does NIST 800-171 cover?
  3. What is the NIST 800-171 Basic Assessment?
  4. Do I need to conduct a NIST 800-171 Basic Assessment? 
  5. What is the NIST 800-171 DoD Assessment Methodology?
  6. What is the Supplier Performance Risk System (SPRS)?
  7. How does the NIST 800-171 Basic Assessment relate to the CMMC?
  8. What steps can I take to conduct a NIST 800-171 Basic Assessment?
  9. How does SaltyCloud help with CMMC?
  10. Conclusion

Introduction

Central to the Cyber Security Maturity Model Certification (CMMC) is NIST 800-171. The NIST 800-171 Basic Assessment is a low-confidence self-assessment conducted following the NIST 800-171 DoD Assessment Methodology. As of November 30, 2020, all DoD contractors must conduct a NIST 800-171 Basic Assessment and submit their score to the Supplier Performance Risk System (SPRS). While it is a requirement, the NIST 800-171 Basic Assessment also serves as a North Star for contractors looking to be certified, helping them identify gaps and plan for remediation. This comprehensive guide covers everything you need to know about NIST 800-171, the NIST 800-171 Basic Assessment, the NIST 800-171 DoD Assessment Methodology, and the steps you can take to build a scalable, evidence-driven compliance process to prepare for certification.

What does NIST 800-171 cover?

NIST 800-171 covers recommended security practices (also known as security controls) for protecting the confidentiality of Controlled Unclassified Information (CUI) outside of nonfederal information systems and organizations. 110 security practices across 14 controls comprise NIST.

NIST 800-171 Control Families

Access Control

Who has access to CUI, and are they supposed to have access?

Awareness and Training

Are employees who handle CUI adequately trained to treat CUI?

Audit and Accountability

Are records kept of who is accessing CUI, and can violators be tracked?

Configuration Management

How are networks and safety protocols built and documented?

Identification and Authentication

What users have access to CUI, and is their access managed?

Incident Response

What is the process in the event of a data breach, and how are appropriate parties notified?

Maintenance

What timeline exists for maintenance, and who is responsible?

Media Protection

How are digital and physical records safely stored and destroyed?

Personnel Security

How are employees screened before gaining access to CUI?

Physical and Environmental Protection

Where do you physically house CUI, and is access monitored and restricted?

Risk Assessment

Are risks periodically assessed, and are remediation plans created and enforced?

Security Assessment

Are security controls regularly assessed for effectiveness, and are remediation plans created and enforced?

System and Communications Protection

Is information regularly monitored and physically and logically separated from other internal networks?

System and Information Integrity

How quickly are possible threats detected, identified, and remediated?

What is the NIST 800-171 Basic Assessment?

The NIST 800-171 Basic Assessment is a self-assessment of NIST 800-171. It is based on a review of the System Security Plan (SSP) associated with the covered contractor information system(s) and conducted per the NIST 800-171 DoD Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.” The NIST 800-171 Basic Assessment score results in a “Low “confidence level because it is a self-generated score. Assessments performed by DoD-designated third parties result in higher confidence levels.

Do I need to conduct a NIST 800-171 Basic Assessment?

Yes, if you are part of the Defense Industrial Base (DIB). Per the DFARS Interim Rule, as of November 30, 2020, the DoD includes two new DFARS clauses in DoD contracts, which will require that contractors perform the NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS), among other documents, as a condition for contract award. The DoD will ask some contractors to conduct a NIST 800-171 Medium Assessment or High Assessment, conducted by DoD personnel trained following DoD policy and procedures. The DoD conducts these assessments in-person or virtually to assess whether a contract physically implemented the controls.

What is the NIST 800-171 DoD Assessment Methodology?

The NIST 800-171 DoD Assessment Methodology is a scoring system that allows the DoD to strategically assess a contractor’s implementation of NIST 800-171. The methodology is used for assessment purposes only and does not add any additional controls.

You score a NIST 800-171 Basic Assessment on a 110-point scale. Each of the 110 security practices in NIST 800-171 is assigned a “weighted subtractor” value. If you implement a practice, you get a certain amount of points, with a 110 as a perfect score. Suppose you did not implement the control or only partially implemented the practice. In that case, you get a fraction of the points or subtracted points altogether, which means a negative score is possible. Some practices are worth 5 points, some 3, and some 1. The DFARS Interim Rule does not require contractors to achieve a specific score. It only requires them to provide a score. However, it is unclear if and how acquisition officers might use the scores in best value determinations for contract awards and whether it will change once the CMMC final rulemaking is complete.

Response Requirements

Response Requirement
Yes Include a statement in the Security Assessment Report (SAR) and SSP explaining how the information system implements the requirement.
No Include a statement in the SAR that explains why the security requirement is not met. Include a statement in the Plan of Action & Milestones (POA&M) which fully describes how the control will be met, how planned improvements will be implemented, and when the improvements will occur.
Partially Include a statement in the SAR that explains why the security requirement is only partially met. A statement should also be included in the POA&M, which fully describes how the control will be met, how planned improvements will be implemented, and when the improvements will occur.
Does Not Apply Include a statement in the SAR that explains why the security requirement does not apply to your operational environment.
Alternative Approach Include a statement in the SAR the SSP that fully describes the alternative approach, how it is equally effective, and how the information system implements the requirement.

What is the Supplier Performance Risk System (SPRS)?

The SPRS is a portal and database that will house all supplier and product performance information (PI) assessments for the DoD acquisition community to identify, assess, and monitor unclassified performance. More specifically, it’ll be where contractors will submit their NIST 800-171 Basic Assessment scores and other documentation related to their contracts. Contractors will be able to update their scores as they improve over time.

How does the NIST 800-171 Basic Assessment relate to CMMC?

Conducting a NIST 800-171 Basic Assessment is an interim requirement during the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC). However, conducting a NIST 800-171 Basic Assessment will continue to be a requirement for CMMC Level 1 and CMMC Level 2 certifications once rulemaking is finalized. And to be certified at CMMC Level 2 and CMMC Level 3, contractors must meet all 110 security practices outlined in NIST 800-171. While conducting a NIST 800-171 Basic Assessment is a requirement, and it is also a tool to help contractors identify gaps and prepare for certification.

What steps can I take to conduct a NIST 800-171 Basic Assessment?

Conducting a NIST 800-171 Basic Assessment can be challenging, depending on your environment’s complexity. Your goal should be to establish a scalable and evidence-driven assessment process within your organization. Doing so will help you get one step closer to certification and be prepared as the requirements evolve.

Read the official publications

If you haven’t already, read through the official NIST Special Publication (SP) 800-17a, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which presents all 110 security practices. Additionally, you should read through NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” which further provides “assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements.” For contractors who don’t have the technical expertise in-house, it is recommended that you work with a Registered Provider Organization (RPO) to help you through this process.

Identify the right people

Identifying and working with the right people across your organization will be critical when conducting a NIST 800-171 Basic Assessment and preparing for certification. These individuals should be people who have a stake over an awarded contract, such as a project lead, and the IT personnel who manage asset inventories, network infrastructure, cybersecurity, privacy, etc., for these parts of the organization. This may include individuals across teams and geographies, depending on the complexity of your organization. It would help if you created secure communication channels between these individuals and set up meetings to align on the upcoming self-assessment.

Scope your organization

Aligning your entire organization with NIST 800-171 may be unimaginably expensive and technically impossible. For this reason, you should work with the appropriate individuals to track the flow of FCI & CUI. Doing so will allow you to isolate the parts of your organization that handle sensitive information, making it much more feasible and cost-effective to implement security practices, manage compliance, and get certified.

Conduct the NIST 800-171 Basic Assessment

Together with your team, you’ll proceed to conduct the NIST 800-171 Basic Assessment. The fastest way to start, albeit least efficient and secure, is by taking all 110 security controls and documenting whether they are implemented, partially implemented, or not implemented using a spreadsheet or document. This process might be as simple as meeting with the relevant individuals (e.g., project leads, IT personnel, etc.) and asking them to provide an answer and any evidence (e.g.,  policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results, legal requirements, etc.). Depending on the number of contracts your organization holds and its scope, you may need to conduct multiple self-assessments for those individual sections of your organization. The more efficient way of undertaking this process is to use a lightweight CMMC assessment platform that can help you manage any number of NIST 800-171 Basic Assessments across your organization and provide an efficient, secure, and centralized repository for all collected evidence.

Calculate an SPRS score

Once you’ve completed your NIST 800-171 Basic Assessment, you can continue scoring it using the NIST 800-171 DoD Assessment Methodology. If you’ve built your own spreadsheet, you’ll want to create a formula that scores your self-assessment using the weighted subtractor values. While this score may not be perfect, it is the score that you should submit to the SPRS. If you’re using a lightweight CMMC assessment platform, it should automatically calculate a score for you after you complete your NIST 800-171 Basic Assessment.

Create a POA&M

Next, you’ll want to take all the security practices that you marked as “Partially Implemented” or “Not Implemented” and create a POA&M. Although you technically don’t need to submit your POA&M for a NIST 800-171 Basic Assessment (yet), you are still technically required to create one. And for contractors looking to get certified, the POA&M will not only be required but necessary to successfully remediate any gaps and achieve a near-perfect score to be certified by a C3PAO or government-led assessors. f you’re using a lightweight CMMC assessment platform, it should automatically export a POA&M based on your completed NIST 800-171 Basic Assessment with attached remediation guidance.

Repeat

Whether you’re vying for a simple CMMC Level 1 certification or a comprehensive CMMC Level 3 certification, the NIST 800-171 Basic Assessment will be a mainstay in your evolving compliance process. You’ll want to establish a repeatable, efficient, and scalable approach that allows you to conduct self-assessments continuously, ensuring your organization is compliant and on track with the evolving cybersecurity requirements from the DoD.

How does SaltyCloud help with CMMC?

No matter the size or function of your organization, Isora GRC from SaltyCloud, the Lightweight GRC Assessment Platform, helps Department of Defense (DoD) contractors fast-track CMMC compliance and certification. It scales with your business and includes preloaded NIST 800-171 and NIST 800-172 questionnaires that make it easy to launch a self-assessment right out of the box for any number of business units or enclaves. Isora GRC helps you break away from the complexities of manual processes and legacy software solutions, streamlining your ability to collect evidence, identify gaps, and keep track of compliance. That means your team is more efficient, and your organization keeps up with the evolving regulations from the DoD.

Conclusion

The NIST 800-171 Basic Assessment is a crucial component of CMMC and isn’t going anywhere. As of November 30, 2020, the DoD requires the entire Defense Industrial Base (DIB) to conduct a NIST 800-171 Basic Assessment and submit a calculated score using the NIST 800-171 DoD Assessment Methodology into the SPRS.

Recommended