If you’re beginning to steal yourself against the Cyber Security Maturity Model Certification (CMMC), you’ll first get to self-assess your organization against NIST 800-171. Previously, Department of Defense (DoD) contractors only had to self-certify that they aligned with all 110 security controls in NIST 800-171. In this comprehensive guide, we cover everything you would like to understand about NIST 800-171, the NIST 800-171 Basic Assessment, and therefore the steps you’ll fancy conduct the assessment and build a scalable, evidence-driven compliance process.
What is the NIST 800-171 Basic Assessment?
The Basic Assessment may be a contractor’s self-assessment of NIST 800-171. it’s supported a review of the System Security Plan (SSP) related to the covered contractor information system(s) and conducted per the DoD Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.” the essential Assessment leads to a confidence level of “Low” within the resulting score because it’s a self-generated score. Assessment performed by DoD designated third parties to end in higher confidence levels.
Do you need to conduct a NIST 800-171 Basic Assessment?
Yes, if you’re a part of the Defense Industrial Base (DIB). Per the DFARS Interim Rule, as of November 30, 2020, the DoD includes two new DFARS clauses in DoD contracts, which can require that contractors perform the NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS), among other documents, as a condition for contract award. The DoD will ask some contractors to conduct a NIST 800-171 Medium Assessment or High Assessment, conducted by DoD personnel trained following DoD policy and procedures. The DoD conducts these assessments in-person or virtually to assess whether a contract physically implemented the controls.
What is the Supplier Performance Risk System (SPRS)?
The SPRS may be a portal and database which will house all supplier and merchandise performance information (PI) assessments for the DoD acquisition community to spot, assess, and monitor unclassified performance. More specifically, it’ll be the place where contractors will submit their NIST 800-171 Basic Assessment scores and other documentation associated with their contracts. Contractors are going to be ready to update their scores as they improve over time.
How does the NIST 800-171 Basic Assessment relate to the CMMC?
Conducting a NIST 800-171 Basic Assessment is an interim requirement during the five-year phased rollout of the Cyber security Maturity Model Certification (CMMC). However, due to the overlap in NIST 800-171 and therefore the CMMC, conducting a successful NIST 800-171 Assessment will take you a step closer to achieving a CMMC Level 3, the specified level for any contractor handling CUI.