The NIST 800-171 Basic Assessment is a self-assessment of an organization's implementation of NIST 800-171.
It is based on a review of the System Security Plan (SSP) associated with the covered contractor information system(s) and conducted per the NIST 800-171 DoD Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.”
The NIST 800-171 Basic Assessment score results in a “Low “confidence level because it is a self-generated score.
Who needs to conduct a NIST 800-171 Basic Assessment?
Everyone who is a part of the Defense Industrial Base (DIB). This includes all prime contractor holders and their subcontractors.
As stated in the DFARS Interim Rule, which is in effect as of November 30, 2020, all contractors must perform the NIST 800-171 Basic Self-Assessment to generate their Supplier Performance Risk System (SPRS) score. In addition to this score, contractors must have a Systems Security Plan (SSP) and Plan of Action and Milestones (POAM) documents to support their self-assessment.
How is a SPRS score calculated?
The NIST 800-171 DoD assessment methodology is based on the NIST 800-171A (Assessing Security Requirements for Controlled Unclassified Information) this provides a framework for assessing an organization’s compliance with NIST 800-171 requirements.
NIST 800-171 consists of 110 security requirements which must be individually evaluated and assessed to determine if you are implementing the control.
Your NIST 800-171 SPRS score can range anywhere from -203 to 110, with 110 meaning you have successfully implemented all security requirements. Organizations with mature IT and security practices implemented are more likely to score higher upon initial assessment. While smaller businesses with minimal or no IT security infrastructure and practices are likely to score on the lower end of the spectrum.
A low score, however, is not a bad thing. You must first fully understand where your organization stands today to be able to create a plan that allows you to work toward securing your business.
It is critical to assess your organization accurately. Many small businesses do not have the IT security resources available to adequately assess themselves.
Why is this important for my business?
Compliance with the NIST 800-171 requirements will help you to implement and maintain secure IT systems and business processes. Implementing solutions to meet these requirements ensures you are properly handling your businesses sensitive data.
In addition, this will ensure that you are able to properly store and handle Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI). Allowing you to obtain and/or maintain Department of Defense (DoD) contracts or subcontracts.
How can I achieve compliance?
There are many resources available online, some of which we have linked here in this article. With assistance from your in-house IT security team, you can review the controls and evaluate them against the assessment methodology to determine if you are in compliance.
You can also work with a trusted advisor who understands the NIST 800-171 (and CMMC) requirements. An expert cybersecurity consultant can be an invaluable resource throughout the evaluation process and can assist you in developing an appropriate security and technology strategy for the future. Choosing the right partner will allow you to streamline your security compliance and IT security operations.
How Can MC3 Technologies Help?
We have over 20+ years of cybersecurity and compliance experience to help guide you through your NIST 800-171 and CMMC compliance journey.
We are a Cyber AB certified CMMC Registered Practitioner Organization (RPO), accredited to provide CMMC services to the defense industrial base.
We provide you with a full-range of services to help you to meet todays federal requirements and prepare for future CMMC Level 1 or 2 requirements. We know your goal is to continue doing business with the federal government and we will ensure this is done properly and efficiently..
