Non-federal contractors that handle CUI are bound to maintain NIST SP 800-171 compliance. Learn more about why the compliance matters to you.
According to the Interim Rule, as of September 2020, all federal contractors must ensure they can adequately handle and protect sensitive federal information by following the NIST SP 800-171 and achieving the appropriate level of Cybersecurity Maturity Model Certification (CMMC). This is a core condition for any agreement between the Department of Defence (DoD) and its contractors. While CMMC is only evolving, the best way to achieve the agreement is to ensure NIST SP 800-171 compliance. Want to cooperrate with DoD or other government agencies? You should comply with NIST SP 800-171. And most federal contractors understand that. For those unfamiliar, we suggest a short but consistent overview of the NIST SP 800-171 compliance.
Until September 2020, no certification body or official audit existed to determine a contractor’s compliance with NIST SP 800-171 controls. All federal contractors simply self-assessed their performance against the list of NIST controls on an internal audit. However, the DFARS Case 2019-D041, or the so-called Interim Rule, changed this approach obligating DoD contractors to complete the NIST SP 800-171 assessment according to a specific Assessment Methodology.
NIST SP 800-171 compliance is a high priority for all existing and potential DoD contractors. First, a successful meeting of the NIST security controls assures that the organization can adequately protect CUI in a multi-tier supply chain. Second, it contributes to the general prestige and reliability of the contractors and increases the chances for contract awards. Last but not least, ongoing NIST SP 800-171 compliance will be the bridge to successful CMMC certification, which is the ultimate goal for all DoD contractors.
NIST Sp 800-171 is the Special Publication that sets recommended standards for protecting the confidentiality of sensitive information held by federal contractors and subcontractors. Specifically, the standard focuses on the protection of CUI, which includes information the Government creates or possesses or that an entity creates or possesses for or on behalf of the Government.
NIST SP 800-171 contains security controls to secure controlled unclassified information (CUI) on non-federal networks. In this way, NIST SP 800-171 compliance strengthens the resilience of the whole federal supply chain. It also ensures a unified cybersecurity standard for non-federal organizations. Exercising of NIST SP 800-171 in the defense sphere is regulated by DFARS clause 252.204-7012, which requires DoD contractors and subcontractors to implement the necessary controls and demonstrate adequate information system security. The clause will remain in place through 2026.
NIST SP 800-171 consists of 110 security controls organized into 14 families. The security families cover the most critical areas of organizations’ IT-related policies and practices, including:
Awareness and training
Audit and accountability
Identification and authentication
System and communication protection
System and information integrity
In turn, each of the 110 security controls is designed to detect cybersecurity vulnerabilities or strengthen organizations’ security programs. In general terms, proper application of NIST security controls ensures that the organization’s network, systems, and employees can handle CUI safely. To understand the controls in a broader context, please, keep reading our blog.
To assess the contractor’s implementation of NIST SP 800-171 at the corporate and entity level, DoD has developed a standard assessment methodology. The NIST SP 800-171 DoD Assessment Methodology is the strategic assessment of how the contractor implements the mandatory cybersecurity requirements. The methodology provides means to assess the contractor’s implementation of the NIST requirements as a transition to full implementation of the CMMC.
The critical requirement of NIST SP 800-171 compliance is the availability of the System Security Plan (SSP) and documenting the assessment results in the Plan of Action and Milestones (POA&M). The SSP provides an overview of the technology and security processes that the organization possesses. POA&M, in turn, documents NIST requirements the assessed organization failed to meet. Thus, the SSP and POA&M are vital evidence for NIST compliance. Both documents should be uploaded and updated in the Supplier Performance Risk System (SPRS), the source which produces Performance Information (PI) assessments for the DoD.
The NIST Assessment Methodology consists of three levels. These levels reflect the depth of the assessment and the level of confidence in the assessment outcomes. The levels are defined as follows:
Basic assessment is the contractor’s self-assessment based on reviewing and scoring the SSP. Due to the self-performed nature, the basic assessment results in a confidence level of “Low.”
Medium assessment is conducted by authorized DoD assessors who evaluate and score organizations’ SSP and POA&M. The assessment results in a confidence level of ‘Medium’ in the resulting score.
High assessment is the in-depth assessment conducted by authorized DoD assessors. The assessment requires a thorough on-site (preferred) or virtual (as a response to the COVID-19 pandemic) verification, examination. It also demads the demonstration of the contractors’ SSP with implemented NIST security requirements. The assessors review your configuration baselines, multi-factor authentication, and other evidences before determinung the appropriateness of the NIST SP-800-171 application. The high assessment is based on the basic assessment and ends with the governmental validation that all security requirements have been implemented. The high assessment results in a confidence level of ‘High.’
The NIST SP 800-171 assessment should be conducted every three years unless other factors, such as risks or a security-relevant changeы, drive the need for more frequent assessment.
As of right now, only basic assessments are conducted as DoD still develops a framework and resources for medium and high assessments.
A special scoring methodology (p.5) is used to provide an objective assessment of NIST SP 800-171 implementation status. Thus, the NIST SP 800-171 DoD Assessment results in a certain score that reflects the net effect of security requirements not yet implemented. Each organization begins the assessment with 110 points. Unconditional implementation of all 110 security requirements results in a maximum possible score of 110. At the same time, for each requirement not met, points are subtracted.
Each of the 110 requirements has a different point value and worth one, three, or five points:
5 points requirements have a vital effect on network security and, if not implemented, could lead to significant network exploitation or CUI exfiltration (e.g., failure to limit system access to authorized users; inability to control the use of removable media on system components)
3 points requirements have a specific and confined effect on the network’s security and data (such as the failure to limit access to CUI or failure to encrypt CUI stored on a mobile device).
1 point requirements have a limited or indirect effect on the security of the network and its data.
To successfully achieve the NIST Sp 800-171 self-assessment requirements, the company must comply with all requirements and obtain a maximum score of 110. It is important to stress that the maximum score for a virtual high assessment is reduced from 110 to 100 due to DoD’s inability to verify the physical controls independently.
Although NIST has 110 controls, 109 of them are really scored. Control 3.12.4, which requires an SSP and a POA&M, has no point value because the lack of these does not even allow completing the assessment “due to incomplete information and noncompliance with DFARS clause 252.204-7012.”
The Interim Rule explicitly requires contractors to submit a summary score into the SPRS enterprise application. After the assessment, the organization loads its total score. If the score is far from 110 – then it is necessary to submit an intended date of having the maximum score. Contractors should update their scores in SPRS after closing all the security gaps defined in their POA&M. The average plan to reach a perfect score should be completed within 9 to 12 months. This time is more than enough to improve the organization’s security posture.
To conclude, the core condition for remaining a reliable DoD contractor is to abide by NIST SP 800-171. Furthermore, adherence to the standard is now an obligatory step to achieve the appropriate CMMC certification level. Don’t waste your time on the way toward the best contract award. Start assessing your compliance with NIST SP 800-171 now.
For more detailed information about the NIST assessment and the related procedures, please, keep reading our blog or consult the Planet 9 team. We’ll be happy to assist: