Overview of the DoD NIST 800-171 Assessment Methodology
The DoD created the NIST assessment methodology to better regulate and assess contractors with the current DFARS cybersecurity requirements. Per 2016 updates to the Department of Defense Federal Acquisition Regulation Supplement (DFARS), Department of Defense contractors that process Covered Defense Information (CDI, a subset of Controlled Unclassified Information, CUI) on their internal IT systems are directed to provide “adequate security” for that information while under their control. The DFARS specifies the controls listed in the National Institute of Standards and Technology Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations—NIST 800-171—as the required set of cybersecurity safeguards that provide that adequate security. (Whew, welcome to the acronym soup that is cybersecurity!) For more information on what it means to comply with this directive, see our Cybersecurity 101 online edu-series on DFARS compliance.
One of the problems that has plagued this DFARS directive was that the DoD had no way to hold contractors accountable to the 800-171 requirements. Essentially, by signing a DoD or prime contract, the contractor attested to the implementation of the requirements and having performed a self-assessment. Contractors knew that eventually the DoD would have to get serious about conducting objective assessments of contractor’s cybersecurity programs, but we’ve been in the dark about the DoD’s plans. Until recently…
DoD Releases Assessment Methodology to Score Cybersecurity Programs
On November 7th 2019, the DoD released version 1.0 of its NIST 800-171 Assessment Methodology:
This NIST assessment methodology is something many of us have been anticipating since Ms. Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment, issued a memo tasking the Defense Contract Management Agency (DCMA) with auditing DoD contractors’ implementation of the requirements in NIST 800-171. DCMA, along with the Defense Counterintelligence and Security Agency (DCSA, formerly the Defense Security Service, DSS) conducted a pilot assessment program in Q1/Q2 2019 of a dozen or more prime DoD contractors. The results of this pilot program informed the development of this risk assessment methodology, which we contractors can now adopt as a standard for self-assessment and use in preparation for the coming DCMA/DCSA audits.
Highlights of the Assessment Methodology
The NIST 800-171 Assessment Methodology document describes the background and purpose of the method, but in this blog we’ll focus on an overview of how the scoring and reporting system works:
- Each facet of a contractor organization covered by a CAGE code must be tied to an IT System Security Plan (SSP). The SSP is like a set of blueprints for the organization’s cybersecurity program.
- Each SSP will be evaluated against a scoring rubric, with a maximum score of 110 possible.
- A perfect score is 110—indicating a robust set of policies and technical implementations as described in the SSP
- Each of the 110 controls in 800-171 is assigned a “weighted subtractor” value; non-compliance with that control means the assigned value is subtracted from 110
- Some controls are worth 5 points, some 3, and some 1. This means that a negative score is possible!
- There are 42 controls worth 5 points, which include:
- The 17 basic safeguards required of all Federal contractors’ IT systems, as outlined in the FAR Clause 52.204-21, and
- Other controls that “would allow for exploitation of the network and its information.”
- There are 14 controls worth 3 points, which if not implemented “have a specific and confined effect on the security of the network and its data”
- The remaining 54 controls are worth 1 point
- Two of the controls, 3.5.3 (multi-factor authentication) and 3.13.11 (FIPS-validated cryptography), are worth either 5 or 3 points, depending on the level on non-compliance
- If the organization does not have an SSP, no score is possible. We’d say treat no SSP as a zero out of 110.
- There are 42 controls worth 5 points, which include:
- To self-assess, the organization evaluates its compliance with each of the 110 controls. For each control that does not meet the requirements prescribed by 800-171, subtract the weighted subtractor (either 5, 3, or 1) from 110. The score result at the end of the assessment will be a number, such as “95”.
- The score results will be submitted for inclusion in the DoD’s Supplier Performance Risk System (SPRS). SPRS is “protected” and only visible to “DoD” personnel. Submissions are supposed to go via encrypted email [email protected], but the Assessment Methodology doesn’t indicate how you’re supposed to encrypt. We recommend holding off on sending anything until instructed by your contract officer or Prime contractor.
- For SSPs with a score of less than 110, the DoD expects the organization to determine when they will reach 110 and be fully compliant. Essentially this will be the date your Plan of Actions and Milestones (POA&M, the cybersecurity program “get well plan”) is fully executed.
- The following elements are expected in the score submission:
System Security Plan Name
CAGE codes covered by this plan
Brief description of the plan architecture
Date of assessment
Date score of 110 will be achieved
<one row for each SSP>
Cybersecurity Scoring with the Assessment Methodology Template
We’ve developed a basic scoring worksheet based on this assessment methodology available for download (check below). We’ve translated the 110 controls into layman’s terms, in the form of a single question for each control. To use the worksheet, work your way through answering “Yes” or “No” to each question, indicating if your organization is compliant (Yes) or non-compliant (No) with the control. Questions answered “No” have the weighted subtractor value subtracted from 110. The total score is displayed at top right. You can present this score to the contracting officer or Prime contractor as part of the table above.
The DoD 800-171 Assessment Methodology also describes three levels of “confidence” in the results of the NIST assessment:
- Low—contractor self-assessment of SSP using Methodology
- Medium—DoD review of SSP using Methodology
- High—DoD on-site review of SSP and execution of assessment techniques listed in 800-171A/B
We’ll describe these more in detail in an upcoming blog. For now, know that our Assessment Scoring Worksheet (built off the DoDs assessment methodology) allows a contractor to generate an artifact that would support a “Low” assessment confidence level.