The NIST 800-171 Basic Assessment Complete Guide

Table of Contents

  1. Introduction
  2. What does NIST 800-171 cover?
  3. What is the NIST 800-171 Basic Assessment?
    1. Do I need to conduct a NIST 800-171 Basic Assessment? 
    2. What is the DoD Assessment Methodology?
    3. What is the Supplier Performance Risk System (SPRS)?
    4. How do you score a NIST 800-171 Basic Assessment with the DoD Assessment Methodology?
    5. How does the NIST 800-171 Basic Assessment relate to the CMMC?
  4. What steps can I take to conduct a NIST 800-171 Basic Assessment?
  5. Conclusion

Introduction

If you’re starting to prepare for the Cyber Security Maturity Model Certification (CMMC), you’ll first need to self-assess your organization against NIST 800-171. Previously, Department of Defense (DoD) contractors only had to self-certify that they aligned with all 110 security controls in NIST 800-171. As of November 30, 2020, all DoD contractors must self-assess against NIST 800-171 and submit a score into the Supplier Performance Risk System (SPRS). In this comprehensive guide, we cover everything you need to know about NIST 800-171, the NIST 800-171 Basic Assessment, and the steps you can take to conduct the assessment and build a scalable, evidence-driven compliance process.

What does NIST 800-171 cover?

NIST 800-171 covers recommended security requirements (also known as controls) for protecting the confidentiality of CUI when the information lives in nonfederal information systems and organizations. There are 110 security controls across 14 control families in NIST 800-171. The control families are:

  1. Access Control
    1. Who has access to CUI, and are they supposed to have access?
  2. Awareness and Training
    1. Are employees who handle CUI adequately trained to treat CUI?
  3. Audit and Accountability
    1. Are records kept about who is accessing CUI, and can violators be tracked?
  4. Configuration Management
    1. How are networks and safety protocols built and documented?
  5. Identification and Authentication
    1. What users have access to CUI, and is their access managed?
  6. Incident Response
    1. What is the process in the event of a data breach, and how are appropriate parties notified?
  7. Maintenance
    1. What timeline exists for maintenance, and who is responsible?
  8. Media Protection
    1. How are digital and physical records safely stored and destroyed?
  9. Personnel Security
    1. How are employees screened before gaining access to CUI?
  10. Physical and Environmental Protection
    1. Where do you physically house CUI, and is access monitored and restricted?
  11. Risk Assessment
    1. Are risks periodically assessed, and are remediation plans created and enforced?
  12. Security Assessment
    1. Are security controls regularly assessed for effectiveness, and are remediation plans created and enforced?
  13. System and Communications Protection
    1. Is information regularly monitored and physically and logically separated from other internal networks?
  14. System and Information Integrity
    1. How quickly are possible threats detected, identified, and remediated?

What is the NIST 800-171 Basic Assessment?

The Basic Assessment is a contractor’s self-assessment of NIST 800-171. It is based on a review of the System Security Plan (SSP) associated with the covered contractor information system(s) and conducted per the DoD Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.” The Basic Assessment results in a confidence level of “Low” in the resulting score because it is a self-generated score. Assessment performed by DoD designated third parties to result in higher confidence levels.

Do I need to conduct a NIST 800-171 Basic Assessment?

Yes, if you are part of the Defense Industrial Base (DIB). Per the DFARS Interim Rule, as of November 30, 2020, the DoD includes two new DFARS clauses in DoD contracts, which will require that contractors perform the NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS), among other documents, as a condition for contract award. The DoD will ask some contractors to conduct a NIST 800-171 Medium Assessment or High Assessment, conducted by DoD personnel trained following DoD policy and procedures. The DoD conducts these assessments in-person or virtually to assess whether a contract physically implemented the controls.

What is the DoD Assessment Methodology?

The DoD Assessment Methodology is a scoring system that allows the DoD to strategically assess a contractor’s implementation of NIST 800-171. The methodology is used for assessment purposes only and does not add any additional controls.

How do you score a NIST 800-171 Basic Assessment with the DoD Assessment Methodology?

You score a NIST 800-171 Basic Assessment on a 110-point scale. Each of the 110 controls in NIST 800-171 is assigned a “weighted subtractor” value. If you implement a control, you get a certain amount of points with a 110 as a perfect score. If you did not implement the control or only partially implemented the control, you get a fraction of the points or get points subtracted altogether, which means a negative score is possible. Some controls are worth 5 points, some 3, and some 1. The DFARS Interim Rule does not require contractors to achieve a specific score, it only requires them to provide a score. However, it is unclear if and how acquisition officers might use the scores in best value determinations for contract awards.

For each control assessed using the following criteria, specific actions will be required:

  • Yes
    • A statement should be included in the Security Assessment Report and System Security Plan, explaining how the information system implements the requirement.
  • No
    • A statement should be included in the Security Assessment Report, which explains why the security requirement is not met. A statement should also be included in the Plan of Action, which fully describes how the control will be met, how planned improvements will be implemented, and when the improvements will occur.
  • Partially
    • A statement should be included in the Security Assessment Report, which explains why the security requirement is partially met. A statement should also be included in the Plan of Action, which fully describes how the partially met security requirements will be fully met, how any planned improvements will be implemented, and when the improvements will occur.
  • Does Not Apply
    • A statement should be included in the Security Assessment Report, which explains why the security requirement does not apply to your operational environment.
  • Alternative Approach
    • A statement should be included in the Security Assessment Report and in the System Security Plan, which fully describes the alternative approach and how it is equally effective. A statement should also be included that explains how the information system implements the requirement.

What is the Supplier Performance Risk System (SPRS)?

The SPRS is a portal and database that will house all supplier and product performance information (PI) assessments for the DoD acquisition community to identify, assess, and monitor unclassified performance. More specifically, it’ll be the place where contractors will submit their NIST 800-171 Basic Assessment scores and other documentation related to their contracts. Contractors will be able to update their scores as they improve over time.

How does the NIST 800-171 Basic Assessment relate to the CMMC?

Conducting a NIST 800-171 Basic Assessment is an interim requirement during the five-year phased rollout of the Cybersecurity Maturity Model Certification (CMMC). However, because of the overlap in NIST 800-171 and the CMMC, conducting a successful NIST 800-171 Basic Assessment will take you a step closer to achieving a CMMC Level 3, the required level for any contractor handling CUI.

What steps can I take to conduct a NIST 800-171 Basic Assessment?

There are a few steps you can take to conduct a NIST 800-171 Basic Assessment. In general, your goal should be to build a scalable and evidence-driven compliance process within your organization.

  1. Learn what each of the 110 controls in NIST 800-171 requires.
    1. Read through the publication, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
    2. EDUCAUSE also provides an excellent guide, “An Introduction to NIST Special Publication 800-171 for Higher Education Institutions.” Although written for Higher Education Institutions (EDUs), it could apply to other industries.
  2. Amend your current security policies or completely introduce new ones to align with the 110 controls.
  3. Communicate your security policies and ensure employees understand them.
  4. Establish the objective and scope of a NIST 800-171 Basic Assessment
    1. A sample objective might be “to successfully assess all 110 controls within five days,” while a sample scope would be, “Network enclaves included in the SSP.”
    2. It is essential to understand that not every part of your organization has to demonstrate compliance with NIST 800-171. It is more cost and time effective to scope only the parts of your network that process, store, or transmit CUI.
  5. Devise an internal compliance process to assess your organization
    1. Choose a method for your assessment.
      1. Many organizations choose to use spreadsheets, but they are unreliable and don’t scale well over time. Alternatively, you can choose to use an automated compliance assessment platform like Isora GRC to help you conduct your NIST 800-171 Basic Assessment.
    2. Identify and notify key employees of assessment activities.
      1. Depending on how your organization is structured, you’ll want to ensure the chain of command. This might mean designating an assessment manager for each assessment.
    3. Allocate resources to carry out the assessment(s)
      1. These are mainly human resources such as internal IT auditors or contractors (if necessary).
    4. Establish secure communication channels among employees and a method for collecting sensitive evidence artifacts.
      1. Because you are assessing systems that handle CUI, the tools (e.g., email servers, communications channels, cloud databases, etc.) you use to maintain all data related to the assessments will also need to be compliant with DoD standards. If you’re using Isora GRC, we host your instance on AWS GovCloud, which is compliant with the FedRAMP High baseline.
  6. Conduct the NIST 800-171 Basic Assessment(s)
    1. Depending on your organization’s size and the number of DoD contracts you have, you might be conducting more than one assessment.
    2. Regardless of which method you chose to conduct your assessment, you’ll need to have individuals self-assess the implementation level for the control and provide evidence and an explanation for their implementation level.
      1. This may include policies, procedures, plans, specifications, designs, records, administrator/operator manuals, information system documentation, interconnection agreements, previous assessment results, and legal requirements.
  7. Create an SPRS score for each NIST 800-171 Basic Assessment
    1. If you’re using spreadsheets, you’ll want to create a formula to produce the score. If you’re using Isora GRC, the platform will automatically generate the score at the end of the assessment and organize all relevant data into a dashboard.
  8. Create a Plan of Actions & Milestones (POA&M)
    1. Although you do not need to submit your POA&M for a Basic Assessment, you still need to create one. If a Medium or High Assessment is conducted, you’ll need to provide your POA&M to your auditor.
      1. If you’re using Isora GRC, you can take your assessment results and automatically export a POA&M.
  9. Fill your SPRS Profile
    1. For each assessment, you’ll need to submit:
      1. Assessment Date
      2. Score
      3. Assessing Scope
      4. Plan of Action Completion Date
      5. Name of System Security Plan Assessed (SSP)
      6. SSP Version/Revision
      7. SSP Date
      8. Included CAGE Codes
    2. You can learn more about the SPRS system and the score submission process using the reference guides available on the SPRS website.
  10. Start Preparing for the CMMC
    1. With your first score submitted and a POA&M in-hand, you can start remediating your NIST 800-171 gaps and preparing your organization for certification.
      1. If you’re using Isora GRC, you can use your initial NIST 800-171 Basic Assessment to start tracking your progress towards any specific CMMC level.

Fast-Track your CMMC Compliance

Learn how Isora GRC helps fast-track DFARS Interim Rule compliance and CMMC preparation across your systems.

Conclusion

The DFARS Interim Rule, in preparation for the CMMC, requires DoD contractors to conduct a NIST 800-171 Basic Assessment and submit a score to the SPRS. Aligning an organization with all 110 controls can seem like a lot of work. By following some simple steps and implementing a scalable, evidence-based compliance process, organizations can quickly start making progress towards a perfect score. Although contractors will eventually need to assess against the CMMC, conducting a NIST 800-181 Basic Assessment is a great starting point that will help you get on track towards certification.

Recommended