Compliance with the National Insitute of Standards and Technology (NIST) Special Publication 800-171 is critical to demonstrating your security posture as a Department of Defense (DoD) contractor—helping you maintain preferred contractor status. NIST 800-171 compliance helps safeguard sensitive information such as Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). Read on to learn all about NIST 800-171 passing scores.
What is a Good NIST 800-171 Score?
NIST 800-171 compliance is scored via the 110 security requirements within the framework (see below). Each implemented requirement represents a single point score, with the highest score possible on a NIST 800-171 DoD assessment being 110 and the lowest possible being -203.
A NIST 800-171 DoD assessment evaluates compliance with the NIST 800-171 requirements and helps improve an organization’s security implementations, as needed. Ideally, a good NIST 800-171 score is one that is as close to 110 as possible. Ultimately, you can think of your NIST score as a reflection of your compliance with NIST 800-171 and your current security posture.
Additionally, what qualifies as a “good” score may depend on the specifics of your contract with the DoD. Some contracts may require a perfect score, whereas others may allow lower scores.
How to Calculate Your Potential NIST 800-171 Score
Scoring of the NIST 800-171 assessment is conducted on a weighted basis because some requirements in the NIST 800-171 have a higher impact on the security of CUI than others.
A final score on a DoD NIST 800-171 assessment accounts for certain security requirements differently, weighted by the potential security impact of non-implementation on the integrity of CUI. The more likely and dangerous a breach could be, the bigger the impact on scoring.
The weighted requirements on the NIST 800-171 assessment include all of the fundamental high-level “Basic Security Requirements,” the implementation of which has significant impacts on all of the “Derived Security Requirements.” Furthermore, poor or non-implementation of the high-level NIST 800-171 requirements may result in impactful security vulnerabilities.
Your NIST 800-171 DoD assessment score is calculated by adding the total score from each implemented requirement. Each of the fully implemented 110 security requirements translates into one point, for 110 points total. Any controls that are not implemented result in a subtraction of points from the overall score, and these subtractions are where the weights come into play.
The subtraction of points for the non-implemented requirements is as follows:
- For any high-level “Basic Security Requirements” with a significant impact on security, non-implementation results in a deduction of five points from the total score of 110.
- For “Basic Security Requirements” and “Derived Security Requirements” with a more moderate impact on security, non-implementation results in a deduction of three points.
- For all other “Derived Security Requirements” deemed to have a low impact on security, non-implementation results in a deduction of just one point.
Additionally, two of the “Derived Security Requirements” (i.e., Requirements 3.5.3 and 3.13.11) may be scored as partially effective, even if a contractor has not fully implemented them.
Working with a NIST 800-171 compliance partner will help you determine the most effective way to score your NIST DoD assessment.
Request a Free Consultation
What to Expect in Your First NIST 800-171 Score?
The NIST 800-171 score range could be anywhere from -203 to 110 after your first assessment. Organizations with more mature security infrastructure in place are more likely to approach 110 on the first attempt, but even an effective system might not meet the specific requirements of NIST SP 800-171. It’s not uncommon to score significantly lower on your first attempt.
Ultimately, it all depends on your overall level of implementing the NIST 800-171 requirements.
Ideally, you should first conduct a NIST 800-171 self-assessment to internally evaluate your implementation of the weighted NIST 800-171 requirements before any external testing.
How to Achieve a Higher NIST 800-171 Score?
In some cases, your initial NIST 800-171 score may be less than ideal for your NIST 800-171 compliance goals. However, this should not cause panic, as there are several ways to improve your NIST 800-171 score and strengthen your security posture for all CUI processing.
Here’s how to achieve a higher NIST 800-171 score:
- Conducting an internal gap assessment based on the NIST 800-171 DoD assessment methodology will help you strategically identify vulnerabilities in security implementation
- Optimizing NIST 800-171 compliance tools will help you:
- Understand the NIST 800-171 compliance requirements
- Develop the right tools to achieve a NIST 800-171-compliant infrastructure
- Implementing a NIST 800-171 checklist will help you develop specific controls to meet NIST 800-171 compliance based on the types of CUI or CDI you handle
In some cases, it is best to outsource NIST 800-171 compliance services from a leading NIST 800-171 compliance partner, who can guide you to a passing NIST 800-171 score.
NIST 800-171 Scoring Methodology
Prior to achieving NIST 800-171 compliance, you must understand how the NIST 800-171 assessment methodology works. The NIST 800-171 DoD assessment methodology is based on the NIST 800-171A “Assessing Security Requirements for Controlled Unclassified Information” and enables strategic assessment of contractors’ compliance with NIST 800-171 requirements.
The NIST 800-171 DoD assessment consists of three levels at which compliance is evaluated:
- At the first level, contractors can conduct basic NIST 800-171 self-assessments of their systems to achieve self-generated “low” confidence scores
- Assessments at the medium level result in “medium” confidence scores, following a designated DoD official’s evaluation of:
- A contractor’s NIST 800-171 self-assessment score
- Documents provided by the contractor
- Assessments at the highest level lead to “high” confidence scores, following a designated DoD official’s evaluation of:
- A contractor’s NIST 800-171 self-assessment score
- Documents provided by the contractor
- The security plans provided by the contractor as evidence of NIST 800-171 compliance
It is critical to engage with the DoD official conducting the medium and high-level NIST 800-171 assessments to understand how best you can improve your overall implementation of NIST 800-171 security requirements. Beyond that, consulting with a NIST 800-171 compliance expert on the NIST 800-171 assessment outcomes will help improve future assessment scores.
What Are the NIST 800-171 Requirements?
At present, the NIST 800-171 comprises 14 families of security requirements, for a total of 110 requirements. The 110 NIST 800-171 requirements provide comprehensive guidelines to help DoD contractors safeguard the confidentiality of CUI within their systems.
The goal of the NIST 800-171 requirements is to minimize security risks across various business and operational environments, ensuring CUI is protected at all times.
The 14 families of NIST 800-171 security requirements are broken down as follows:
- Implement access controls to govern the use of systems containing CUI
- Develop protocols for security awareness training
- Periodically audit systems to ensure accountability
- Establish secure configurations for all systems
- Implement access control to verify and authenticate user identity
- Establish incident response protocols to address potential threats to defense information
- Conduct routine maintenance on systems involved in processing CUI
- Safeguard all forms of media containing CUI
- Implement access controls for personnel with access to CU
- Restrict physical access to assets containing CUI
- Evaluate the risks to processes involved in storing or transmitting CUI
- Assess the effectiveness of security controls
- Protect the sensitivity of communications across the organization
- Maintain system integrity by promptly identifying and addressing security vulnerabilities
Compliance with the NIST 800-171 requirements will help you develop and maintain robust, secure systems and enable strategic optimization of the controls used in handling classified defense information. Additionally, the NIST 800-171 requirements will help you establish a NIST 800-171 security baseline when it comes to protecting the various categories of CUI and CDI.
Do You Know Your NIST SP 800-171 Score?
Knowing your NIST SP 800-171 score as a DoD contractor will help minimize any security risks to the CUI or CDI you process, store, or transmit. A NIST 800-171 compliance partner will help optimize your preparedness for NIST 800-171 assessments, ensuring you achieve a NIST 800-171 passing score—ideally a perfect 110. Contact RSI Security today to learn more!