The Defense Industrial Base (DIB) sector is a vast business network containing some of the most critical infrastructures in the US. Working in partnership with or for the Department of Defense (DoD) as a contractor can be lucrative, but that comes at the cost of high risks to your own company and the safety of all Americans. That’s why you’ll need to ensure compliance with various DoD cybersecurity frameworks, and the NIST 800-171 assessment methodology is a critical first step in that direction.
Read on to learn more about what NIST 800-171 assessment comprises and why it matters.
NIST 800-171 Assessment Methodology Overview
To achieve preferred contractor status with the DoD, you’ll need to be compliant with the NIST SP 800-171 framework and with several other regulatory texts. There are several assessment levels leading up to full compliance, each of which has its particular methodology.
This guide will break down what you need to know about these assessment methodologies, including:
- What the current methodologies are for assessment at all levels and their scoring
- What the overall NIST SP 800-171 framework comprises and how to ensure compliance
- What other compliance requirements potential DoD contractors need to fulfill, and how
When you’re finished with this article, you’ll know what NIST 800-171 assessment tools and other compliance resources you need to secure preferred contractor status, along with how RSI Security can help.
Regulatory Context for DoD Contractors and Beyond
The National Institute of Standards and Technology (NIST) first published Special Publication (SP) 800-171 to meet requirements laid out in the Federal Acquisition Regulation (FAR). This publication was titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Clause 252.204-7012 of the Defense Federal Acquisition Regulation Supplement (DFARS) specifies that DoD contractors must protect controlled unclassified information (CUI). This includes many documents protected by laws and regulations but that do not have classified status — for example, “law enforcement sensitive” and “for official use only” data.
Furthermore, DFARS clause 252.204-7008 requires protections for another class of information, known as covered defense information. It includes documents specific and critical to military operations, such as use and repair manuals and technical guidance related to weapons and other defense technologies. It also includes miscellaneous sensitive data, like personnel files.
As we’ll dive into below, the NIST SP 800-171 framework and other regulatory guides ensure this information and other sensitive data are fully protected. Assessment methodologies extend these protections by facilitating accurate and efficient compliance enforcement.
Current NIST SP 800-171 Assessment Methodologies
Assessments for NIST SP 800-171 compliance utilize two supplementary documents: DoD Assessment Methodology (Version 1.2) and NIST’s SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.” There are three levels of assessment:
- Basic – Contractors can perform a self-assessment of plans and systems pertaining to covered information, following SP 800-171A and both Section 5 and Annex A of the Assessment Methodology. The resulting score offers a “low” confidence level.
- Medium – DoD personnel can perform a medium-level assessment by reviewing plan descriptions to assess the extent to which they meet NIST SP 800-171 requirements. It uses Section 6 of the Assessment Methodology and produces “medium” confidence.
- High – Similarly, DoD personnel can perform the highest level assessment through an onsite visit to the contractor’s physical location or virtually. Both virtual and onsite tests use Section 6 and Annex B of the Methodology document to produce “high” confidence. Still, a complete understanding of risk (i.e., highest confidence) is only possible via onsite test.
Depending on your company’s specific needs and position and the DoD department’s requirements, you may need to achieve a certain confidence level in your NIST SP 800-171 Assessment. Many companies will first start with a basic or self-assessment before moving onto more suitable medium or high-level ones. The project your company is hired for dictates the confidence level needed.
NIST SP 800-171 Assessment Scoring Methodology
Regardless of your company’s assessment level to gauge its implementation of NIST SP 800-171, the scoring metrics used are the same. Each control successfully implemented in full receives a value of one point, adding up to a total of 110 points for all 110 controls. Nearly all controls are scored either fully or not at all, with partial scoring applicable only to a select few controls and only in exceptional cases. Controls missed result in subtractions.
Specific controls are considered higher leverage than others, resulting in net subtractions of more than one point. These all fall into three distinct categories and respective point totals:
- Failure to implement controls that can directly lead to pervasive, large-scale exploitation of CUI or system compromise can result in a five-point deduction per control.
- Failure to implement controls that can directly lead to negative yet confined impacts on the security of CUI or related systems can result in three-point deductions per control.
- Failure to implement controls related to Multi-Factor Authentication (MFA) or encryption can result in three or five point deductions, depending on the severity and other factors.
To understand how this scoring system works in the context of the NIST SP 800-171 assessment, it’s helpful to know what the precise controls are and how they fit within the scheme.
Understanding the NIST SP 800-171 Framework
Assessment is the final consideration for NIST SP 800-171 compliance. Before you get ready for assessment, you’ll need to strategically implement the framework and its many controls. As noted above, SP 800-171 comprises 110 total cybersecurity controls, which are labeled “Requirements” within the scheme. These are distributed across 14 “Requirement Families” domains or cybersecurity categories that interlock to keep all CUI and CDI secure.
Currently, NIST SP 800-171 is in Revision 2, which is up to date as of February 2020. In the framework document, each individual Requirement accompanies an explanatory guide offering a descriptive (not prescriptive) example of how it can be implemented.
SP 800-171 Requirement Families and Requirements
The full breakdown of 110 Requirements across the 14 Families is as follows:
- Access Control – This includes controls restricting access to protected information based on authentic user identities, including two Basic and 19 Derived Requirements (21 total).
- Awareness and Training – This includes specific thresholds for staff awareness, achieved through rigorous training, including two Basic and one Derived Requirement (three total).
- Audit and Accountability – This includes protocols for scheduling audits and safekeeping audit logs for accountability, including two Basic and seven Derived Requirements (nine total).
- Configuration Management – This includes controls governing settings installed on software and hardware, including two Basic and seven Derived Requirements (nine total).
- Identification and Authentication – This includes controls specifying the User ID mechanics and credential management, including two Basic and nine Derived Requirements (11 total).
- Incident Response – This includes systematic approaches and architecture required to respond to attacks in real-time, including two Basic and one Derived Requirement (three total).
- Maintenance – This includes protocols for scheduling and procedures for regular and special event maintenance, including two Basic and Four Derived Requirements (six total).
- Media Protection – This includes controls building on configuration management for devices pertaining to media, including three Basic and six Derived Requirements (nine total).
- Personnel Security – This includes protocols for recruiting, hiring, onboarding, and movement for staff, including two Basic and no Derived Requirements (two total).
- Physical Protection – This includes proximity-based protections for workspaces and devices connected to CUI or CDI, including two Basic and four Derived Requirements (six total).
- Risk Assessment – This includes controls for monitoring, analyzing, and mitigating known threats and vulnerabilities, including one Basic and two Derived Requirements (three total).
- Security Assessment – This includes protocols for regular internal and external tests of cybersecurity measures and practices, including four Basic and no Derived Requirements (four total).
- System and Communications Protection – This includes controls optimizing the security of all internal and external network traffic, including two Basic and 14 Derived Requirements (16 total).
- System and Information Integrity – This includes protocols ensuring total confidentiality of protected data within systems, including three Basic and four Derived Requirements (seven total).
Critically, these controls are not the only ones prospective DoD contractors will have to implement and assess. There is also another, more comprehensive framework.
Other Requirements for Potential DoD Contractors
If you hope to secure DoD contracts, you’ll also need to achieve Cybersecurity Model Maturity Certification (CMMC). This entails compliance with a new, comprehensive omnibus framework published by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). The CMMC builds on and incorporates all NIST SP 800-171 controls into its scheme and several other controls based on NIST and other cybersecurity frameworks.
Critically, the assessment methodology for the CMMC is drastically different from that of NIST SP 800-171, detailed above. Rather than a tiered approach to assessment and trust level assured, the framework involves tiered compliance levels (see below). These levels are assessed and certified by an external entity known as a Certified Third-Party Assessment Organization (C3PAO), which is itself accredited by the CMMC Accreditation Body (CMMC-AB).
How the CMMC Framework Builds Upon NIST SP 800-171
Unlike NIST SP 800-171, which is expected to be adopted wholly and assessed as such, the CMMC framework facilitates adoption across five “Maturity Levels,” each increasing level furthering security:
- Maturity Level 1 – This level focuses on safeguards for Federal Contract Information (FCI) across 17 Practices for “basic cyber hygiene,” with Processes merely “performed.”
- Maturity Level 2 – This level focuses on transitioning to the full protection of CUI across 55 Practices for “intermediate cyber hygiene,” with Processes now “documented.”
- Maturity Level 3 – This level focuses on full CUI and FCI protection across 58 Practices constituting “good cyber hygiene,” with Processes now actively “managed.”
- Maturity Level 4 – This level focuses on shifting from CUI and toward Advanced Persistent Threats (APTs) across 26 “proactive” practices, with Processes now “reviewed.”
- Maturity Level 5 – This level focuses on finalizing or perfecting all CUI and FCI safeguards across 15 “advanced/progressive” Practices and a Process goal of “optimizing.”
Across these levels, companies will implement 171 controls, encompassing all of NIST SP 800-171 (by Level 3) and other controls. These are distributed across “Domains,” which correspond roughly to SP 800-171’s Requirement Families, except for three outliers:
- Asset Management – This builds out further settings and considerations specific to physical devices across two Capabilities and two Practices.
- Recovery – Similar to Incident Response, this builds out protocols for retrieving and protecting lost information across two Capabilities and four Practices.
- Situational Awareness – Building on Awareness and Training, this specifies knowledge specific to the company’s own needs and means in one Capability and three Practices.
Even though the CMMC facilitates adoption with its tiered approach, implementing all of its Practices to full DoD requirements can still be challenging, especially for smaller companies with modest IT budgets. That’s why the best C3PAOs help at all stages, not just assessment.
Professional SP 800-171 Compliance and Cybersecurity
RSI Security offers a suite of DoD compliance services, including flexible and scalable advisory for NIST SP 800-171 assessment and CMMC certification. No matter where you are on your journey toward certification and preferred contractor status with the DoD, we’re happy to help you get to the next step. Our expert team has helped businesses of all sizes win DoD contracts and satisfy all other compliance and cybersecurity needs for over a decade.
First, we help your internal team build out or refresh its cybersecurity architecture up to DFARS specifications. Then, once you’re ready, we’ll walk you through all elements of the assessment.
To recap from above, the NIST 800-171 assessment methodology your company will need to implement for compliance comprises three assessment levels (basic, medium, and high). This can be conducted either internally or with the help of a DoD-approved specialist. Regardless of what level you choose, the scoring matrix stays the same — you’re aiming for a perfect score of 110. To see how simple assessment, compliance, and security can be, contact RSI Security today!