What is NIST 800-171 scoring and why do I care?

Background

If you have found this, you are looking for NIST 800-171 scoring. If you are, you must have a taste for alphabet soup so this background is for you…

New DFARS (Defense Federal Acquisition Regulation Supplement) Interim Rules went into effect in December 2020, forcing defense contractors to adhere to new processes and requirements, and placing greater emphasis on compliance with cybersecurity regulations (namely NIST 800-171).

Contractors who handle Controlled Unclassified Information (CUI) must now conduct self-assessments of NIST 800-171 compliance status in accordance with NIST 800-171A assessment guidance; score themselves on a subtractive, weighted formula as prescribed by the DoD Assessment Methodology scoring system; and report their scores and expected POAM completion dates to the government through the Supplier Performance Rating System (SPRS) in order to remain eligible to win new contract awards that involve handling CUI. In addition, the Defense Contract Management Agency‘s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is now able to mandate more detailed analysis of contractor compliance through Medium and High confidence assessments at the government’s discretion. For Medium and High assessments, DIBCAC personnel may perform detailed reviews of contractor SSPs, or conduct full NIST 800-171A evidence-based assessments of contractor compliance.

The NIST 800-171 Self-Assessment

How to score the assessment

First of all, there are a number of checklists out there that can help you come up with a score for your assessment. Those are extremely helpful in calculating that score. In general the score is derived from the following:

Your assessment score is calculated by adding the total score from each implemented requirement (controls). Each of the fully implemented 110 security requirements translates into one point, for 110 points total. But that’s not all.

Any controls that are not implemented result in a subtraction of points from the overall score, and since some omissions have a larger impact on security of CUI, a weighting system is used.

The subtraction of points for the non-implemented requirements is as follows:

• For any high-level “Basic Security Requirements” with a significant impact on security, non-implementation results in a deduction of five points from the total score of 110.
• For “Basic Security Requirements” and “Derived Security Requirements” with a more moderate impact on security, non-implementation results in a deduction of three points.
• For all other “Derived Security Requirements” deemed to have a low impact on security, non-implementation results in a deduction of just one point.

What do I do with the score?

Doing the above assessment will result in a score between -203 and 110. Yes, you can get a valid negative score!

Once you have found your score. You will need to report that to the DoD through the SPRS system. Details can be found here: Supplier Performance Risk System (disa.mil)

DoD Assessment Methodology scoring system

Clearly, a self-assessment score can vary based on who is filling it out. Some contracts are extreemly sensitive while others may be less sensitive. If you handle sensitive CUI, a self-assessment may not be enough guarantee that CUI is being protected. This is where your self-assessment may be challenged with requests for supporting evidence.

3 Levels of confidence scores

The NIST 800-171 DoD assessment is consists of three levels at which compliance is evaluated:

• At the first level, contractors can conduct basic NIST 800-171 self-assessments of their systems to achieve self-generated “low” confidence scores
• Assessments at the medium level result in “medium” confidence scores, following a designated DoD official’s evaluation of:
  • A contractor’s NIST 800-171 self-assessment score 
  • Documents provided by the contractor
• Assessments at the highest level lead to “high” confidence scores, following a designated DoD official’s evaluation of:
  • A contractor’s NIST 800-171 self-assessment score
  • Documents provided by the contractor
  • The security plans provided by the contractor as evidence of NIST 800-171 compliance (This is often termed as “over the shoulder” which, to me, means audit)

#DFARS #NIST800-171 #CUI #SPRS

• Author
• Recent Posts

Follow me

Paul Bergman

CEO at Tracc Development, Inc.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Follow me

Latest posts by Paul Bergman (see all)

• The Imperative for Cyber Talent on Corporate Boards - March 29, 2024
• Talking CMMC preparation - March 12, 2024
• Protecting Your Business: Strategies to Combat DNS Attacks - February 20, 2024