To work closely with the Department of Defense (DoD), companies need to handle sensitive data critical to the entire country’s security. As such, they must comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Read on for a breakdown of the top NIST 800-171 assessment tools available to help DoD contractors comply.
Top NIST 800-171 Assessment Tools, Solutions, and Best Practices
Compliance with NIST SP 800-171 is required for all DoD contractors according to the Defense Federal Acquisition Register Supplement (DFARS), Clause 252.204-7020. Preliminary assessments, conducted internally or with third-party assistance, can help prepare your company to comply.
The three most impactful tools companies can leverage for NIST 800-171 assessment are:
- The official NIST Assessment Methodology document
- The official NIST Assessment Specifications document
- Professional NIST 800-171 compliance advisory services
Let’s take a look at each resource, then into other critical considerations for DoD contractors.
NIST 800-171 Assessment Tool #1: NIST Assessment Methodology
Aside from the actual NIST SP 800-171 framework itself, the primary tool companies should seek out when preparing for an assessment is the official NIST SP 800-171 DoD Assessment Methodology, Version 1.2. This document breaks down everything companies need to know about the assessment process, including the levels of assessment and scoring matrix used.
Concerning these levels, companies will fall under the Basic, Medium, or High category. Basic refers to self-assessments undertaken by the target company, resulting in a Low confidence level. Medium and High assessments are conducted by DoD personnel, yielding Medium and High confidence, respectively—the latter depending on in-person or virtual verification of all scores. A Basic assessment precedes (and prepares the company for) a High assessment.
Breakdown of the NIST Assessment Methodology’s Scoring System
The scoring at all NIST assessment levels is the same. Points are awarded for implementation of Requirements (110 in total). However, certain controls are weighted and scored differently:
- Five-point deductions – The most critical controls are those that, if missed, could cause significant or system-wide exploitation; these are worth five points. They are:
- Basic Requirements 1.1, 1.2, 2.1, 2.2,1, 4.1, 4.2, 5.1, 5.2, 6.1, 6.2, 7.2, 8.3, 9.2, 10.1, 10.2, 12.1, 12.3, 13.1, 13.2, 14.1, 14.2, and 14.3
- Derived Requirements 1.12, 1.13, 1.16, 1.17, 1.18, 3.5, 4.5, 4.6, 4.7, 4.8, 5.10, 7.5, 8.7, 11.2, 13.5, 13.6, 13.15, 14.4, and 14.6
- Three-point deductions – Slightly less critical controls are those that, if missed, could cause specific or confined effects. These result in a three point deduction; they include:
- Basic Requirements 3.2, 7.1, 8.1, 8.2, 9.1, 11.1, and 12.2
- Derived Requirements 1.5, 1.19, 7.4, 8.8, 13.8, 14.5, and 14.7
- One-point deductions – Beyond these controls, all other Derived Requirements save two (below) have minor or indirect impacts on overall security; they’re worth one point.
- Variable deductions – Two Derived Requirements can have a critical or less critical impact depending on the extent of their implementation, and their scoring reflects this:
- For Requirement 5.3 (multifactor authentication (MFA)), three points are deducted if only remote and privileged users have MFA; five points are subtracted if no MFA is implemented at all.
- For Requirement 13.11 (FIPS-validated encryption), three points are deducted if encryption does not meet FIPS; five points are subtracted for no encryption at all.
Because point deductions are calculated from a total score of 110, companies with severe flaws in their security infrastructure may end up with a negative point total. For companies seeking out long-term contracts with the DoD, the goal should be scoring no lower than a perfect 110 points.
NIST 800-171 Assessment Tool #2: NIST Assessment Specifications
Aside from the framework and official assessment methodology, another critical resource for companies is NIST SP-800 171A, Assessing Security Requirements for Controlled Unclassified Information. This is the actual assessment framework companies will use to test their controls.
The assessment methodology detailed above does provide a template for reporting across controls, but SP 800-171A details the actual Assessment Objectives measured for each Requirement. For example, most Objectives include language like “determine if,” followed by a set of factors or thresholds that correspond directly to the language within a Requirement (or a sub-Requirement, if applicable). There are also suggested methods for assessing each one.
SP 800-171A is critical for the assessment itself, as the primary text utilized; however, it should also be studied and referenced at all stages of a company’s NIST SP 800-171 implementation.
Breakdown of the NIST SP 800-171 Requirement Families to Assess
Companies need to internalize the NIST SP 800-171 framework during implementation and assessment. Aside from the specific weighted controls detailed above, the broader breakdown of Requirement Families and the Basic and Derived Requirements they house is as follows:
- Access Control – Two Basic and 19 Derived Requirements
- Awareness and Training – Two Basic and one Derived Requirement
- Audit and Accountability – Two Basic and seven Derived Requirements
- Configuration Management – Two Basic and seven Derived Requirements
- Identification and Authentication – Two Basic and nine Derived Requirements
- Incident Response – Two Basic and one Derived Requirement
- Maintenance – Two Basic and four Derived Requirements
- Media Protection – Three Basic and six Derived Requirements
- Personnel Security – Two Basic Requirements (no Derived Requirements)
- Physical Protection – Two Basic and four Derived Requirements
- Risk Assessment – One Basic and two Derived Requirements
- Security Assessment – Four Basic Requirements (no Derived Requirements)
- System and Communications Protection – Two Basic and 14 Derived Requirements
- System and Information Integrity – Three Basic and four Derived Requirements
Companies may emphasize individual Requirement Families as they implement and prepare for assessment, whether based on weighted controls or the sheer volume of controls in a given Family. For example, Families 1 and 13 account for approximately one-third (37) of all Requirements.
NIST 800-171 Assessment Tool #3: Professional Compliance Partner
Aside from resources freely available from NIST, the greatest tool most companies can use to assess and prepare for NIST compliance is a NIST 800-171 compliance advisory partner. Your company may need to work with a third party to validate its reported controls. You might also need assistance with developing or acquiring the necessary infrastructure for all Requirements.
Using a dedicated team of experts from a qualified cybersecurity services provider ensures you are 100 percent ready to report to the DoD if and when it’s required. RSI Security offers robust monitoring, readiness assessment, and implementation services to navigate you through all elements of NIST compliance. We’re a full-service provider dedicated to helping companies secure DoD contracts and ultimately work toward preferred contractor status. With that said…
Considerations Beyond NIST Compliance for DoD Contractor Status
NIST 800-171 Compliance is no longer the only DFARS requirement for DoD contractors. The DoD will now require compliance with the Cybersecurity Maturity Model Certification (CMMC) framework for all companies moving forward, per DFARS clause 252.204-7021. The CMMC rollout is still ongoing—as is the initial round of approvals for certified CMMC assessors—and many current DoD contractors will not need to be compliant until 2025.
Sooner or later, your company will need to implement the CMMC to get DoD contracts.
The CMMC is a more robust framework than NIST, as it comprises all 110 Requirements and 61 additional controls (called Practices in the CMMC). These are distributed across 17 Domains, including all 14 Requirement Families and three extras, along with five Maturity Levels. Also, certification can only be granted by a Certified Third Party Assessor Organization (C3PAO).
Professional DFARS, NIST, and CMMC Compliance Advisory Services
Current and future DFARS requirements for DoD contractors are all much easier to meet with professional help. The free NIST 800-171 assessment tools detailed above can be challenging to navigate, and many companies will find optimal ROI in working with a professional, whether they are eligible for self-assessment or not. Also, since future CMMC requirements will formally necessitate working with a third party, getting started now will help minimize later costs.
Contact RSI Security today to get started on NIST SP 800-171, CMMC, and overall DFARS compliance.