Non-federal contractors that handle CUI are bound to comply with NIST SP 800-171, as the Interim Rule requires. Learn more about why compliance matters.
According to the Interim Rule, as of September 2020, all federal contractors must ensure they can adequately handle and protect sensitive federal information by following the NIST SP 800-171 and achieving the appropriate level of Cybersecurity Maturity Model Certification (CMMC). This statement is a core condition for any agreement between the Department of Defence (DoD) and its contractors who deal with Controlled Unclassified Information (CUI). As for now, when the CMMC is only evolving, the best way to achieve the agreement is to ensure adherence to NIST 800-171. Most federal contractors already know that they need to comply with NIST SP 800-171 should they want to cooperate with DoD or other government agencies that handle CUI. For those unfamiliar, we suggest a short but consistent overview of the NIST SP 800-171 and its role in protecting CUI.
Until September 2020, no certification body or official audit existed to determine a contractor’s compliance with NIST 800-171 controls. All federal contractors simply self-assessed their performance against the list of NIST controls on an internal audit. However, the DFARS Case 2019-D041, or so-called Interim Rule, changed this approach obligating DoD contractors to complete the NIST SP 800-171 assessment according to a specific Assessment Methodology. Furthermore, the Interim Rule bounded federal contractors to achieve the appropriate level of CMMC certification prior to any contract award and during contract performance. However, if CMMC is now only evolving, NIST SP 800-171 is foresightedly adopted by contractors who aim to protect CUI and be eligible for federal agreements.
The importance of NIST 800-171 compliance for all existing and potential DoD contractors cannot be underestimated. First, a successful meeting of the NIST security controls assures that the organization can adequately protect CUI in a multi-tier supply chain. Second, it contributes to the general prestige and reliability of the contractors and increases the chances for contract awards. Last but not least, ongoing NIST 800-171 compliance will be the bridge to successful CMMC certification, which is the ultimate goal for all DoD contractors.
NIST 800-171 is the Special Publication that sets recommended standards for protecting the confidentiality of sensitive information held by federal contractors and subcontractors. Specifically, the standard focuses on the protection of CUI, which includes information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government.
As it is stated in the NIST Self-Assessment Handbook, NIST SP 800-171 provides federal agencies with recommended requirements for protecting the CUI when:
NIST 800-171 contains security controls designed to ensure that sensitive unclassified information on non-federal networks is appropriately secured. In this way, NIST 800-171 strengthens the resilience of the whole federal supply chain and ensures a unified cybersecurity standard for non-federal organizations. Exercising of NIST 800-171 in the defense sphere is regulated by DFARS clause 252.204-7012, which requires DoD contractors and subcontractors to implement the necessary controls and demonstrate adequate information system security. The clause will remain in place through 2026.
NIST SP 800-171 consists of 110 security controls, organized into 14 families. The security families cover the most critical areas of organizations’ IT-related policies and practices, including:
Awareness and training
Audit and accountability
Identification and authentication
System and communication protection
System and information integrity
In turn, each of the 110 security controls is designed to detect cybersecurity vulnerabilities or strengthen organizations’ security programs. In general terms, proper application of NIST security controls ensures that the organization’s network, systems, and employees can handle CUI safely. To understand the controls in a broader context, please, keep reading our blog.
To assess the contractor’s implementation of NIST SP 800-171 at the corporate and entity level, DoD has developed a standard assessment methodology. The NIST SP 800-171 DoD Assessment Methodology is the strategic assessment of how the contractor implements the mandatory cybersecurity requirements. The methodology provides means to assess the contractor’s implementation of the NIST requirements as a transition to full implementation of the CMMC.
The critical requirement of NIST 800-171 compliance is the availability of the System Security Plan (SSP) and documenting the assessment results in the Plan of Action and Milestones (POA&M). The SSP provides an overview of the technology and security processes that the organization possesses. POA&M, in turn, documents NIST requirements not met by the assessed organization. Thus, the SSP and POA&M are vital evidence for NIST compliance required by the DoD. Both documents should be uploaded and updated in the Supplier Performance Risk System (SPRS), the source which produces Performance Information (PI) assessments for the DoD.
The NIST Assessment Methodology consists of three levels that reflect the depth of the assessment and the level of confidence in the assessment outcomes. The levels are defined as follows:
Basic assessment is the contractor’s self-assessment based on reviewing and scoring the SSP. Due to the self-performed nature, the basic assessment results in a confidence level of “Low.”
Medium assessment is conducted by authorized DoD assessors who evaluate and score organizations’ SSP and POA&M. The assessment results in a confidence level of ‘Medium’ in the resulting score.
High assessment is the in-depth assessment conducted by authorized DoD assessors. The assessment requires a thorough on-site (preferred) or virtual (as a response to COVID-19 pandemic) verification, examination, and demonstration of the contractors’ SSP and implementation of the NIST security requirements. By reviewing appropriate evidence, such as the recent scanning results, configuration baselines, multi-factor authentication, the assessment determines the appropriateness of the NIST SP-800-171 application. The high assessment is based on the basic assessment and ends with the governmental validation that the security requirements have been implemented as described in organizations’ SSP. The high assessment results in a confidence level of ‘High.’
The NIST SP 800-171 assessment should be conducted every three years unless other factors, such as risks or a security-relevant changeы, drive the need for more frequent assessment.
As of right now, only basic assessments are conducted as DoD still develops a framework and resources for medium and high assessments.
A special scoring methodology (p.5) is used to provide an objective assessment of NIST SP 800-171 implementation status. Thus, the NIST SP 800-171 DoD Assessment results in a certain score that reflects the net effect of security requirements not yet implemented. Each organization begins the assessment with 110 points. Unconditional implementation of all 110 security requirements results in a maximum possible score of 110. At the same time, for each requirement not met, points are subtracted.
Each of the 110 requirements has a different point value and worth one, three, or five points:
5 points requirements have a vital effect on network security and, if not implemented, could lead to significant network exploitation or CUI exfiltration (e.g., failure to limit system access to authorized users; inability to control the use of removable media on system components)
3 points requirements have a specific and confined effect on the network’s security and data (such as the failure to limit access to CUI or failure to encrypt CUI stored on a mobile device).
1 point requirements have a limited or indirect effect on the security of the network and its data.
To successfully achieve the NIST 800-171 self-assessment requirements, the company must comply with all requirements and obtain a maximum score of 110. It is important to stress that the maximum score for a virtual high assessment is reduced from 110 to 100 due to DoD’s inability to verify the physical controls independently.
Although NIST has 110 controls, 109 of them are really scored. Control 3.12.4, which requires an SSP and a POA&M, has no point value because the lack of these does not even allow completing the assessment “due to incomplete information and noncompliance with DFARS clause 252.204-7012.”
The Interim Rule explicitly requires contractors to submit a summary score into the SPRS enterprise application. After the assessment, the organization loads its total score and, if it is far from the 110, the intended date of having the maximum score. Contractors should update their scores in SPRS after closing all the security gaps defined in their POA&M. The average plan to reach a perfect score should be completed within 9 to 12 months. This time is more than enough to improve the organization’s security posture and assure DoD that you are a reliable contractor.
To conclude, the core condition for remaining a reliable DoD contractor and ensuring adequate CUI handling is to abide by NIST SP 800-171. Furthermore, adherence to the standard is now an obligatory step to achieve the appropriate CMMC certification level. Don’t waste your time on the way toward the best contract award, and start assessing your compliance with NIST SP 800-171 now. For more detailed information about the NIST assessment and the related procedures, please, keep reading our blog or consult the Planet 9 team. We’ll be happy to assist: