The Basic Assessment is a self-assessment of NIST 800-171 by a contractor. It is based on a study of the System Security Plan (SSP) associated with the covered contractor information system(s) and is carried out in accordance with the Department of Defense Assessment Methodology, “Assessing Security Requirements for Controlled Unclassified Information.” Because the Basic Assessment is a self-generated assessment, the confidence level in the resultant score is “Low.” Assessments conducted by DoD-designated third parties result in higher levels of trust.
To begin preparing for the Cyber Security Maturity Model Certification (CMMC), you must first self-assess your firm against NIST 800-171. Previously, DoD contractors merely had to self-certify that they adhered to all 110 security rules in NIST 800-171. All DoD contractors must self-assess against NIST 800-171 by November 30, 2020, and report a score to the Supplier Performance Risk System (SPRS). We cover all you need to know about NIST 800-171, the nist 800-171 self assessment and the actions you can take to complete the assessment and develop a scalable, evidence-driven compliance strategy in this comprehensive guide.
Is a NIST 800-171 Basic Assessment required?
If you are a member of the Defense Industrial Base, yes (DIB). According to the DFARS Interim Rule, the DoD will include two new DFARS clauses in DoD contracts as of November 30, 2020, which will require contractors to perform the NIST 800-171 Basic Assessment and submit a score to the Supplier Performance Risk System (SPRS), among other documents, as a condition for contract award.
The DoD will ask select contractors to complete a NIST 800-171 Medium or High Assessment, which will be conducted by DoD officials who have been trained to follow DoD policies and procedures. The DoD performs these evaluations in person or digitally to determine if a contract’s controls were physically implemented.
What is the Department of Defense Assessment Methodology?
The DoD Assessment Methodology is a grading methodology that enables the DoD to strategically analyze a contractor’s NIST 800-171 implementation. The approach is just used for evaluation and does not include any further controls. NIST SP 800-171: A definition of the rules that any nonfederal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or to ensure security for such systems.
Complexity should not be an impediment.
Manufacturers may first consider the cybersecurity requirements for government contracts to be overly complex, especially if their operations are small. However, by utilizing available resources — including local Labour mp Centers — manufacturers can realize it is possible to achieve and maintain DFARS compliance by implementing the NIST SP 800-171 requirements and opening up opportunities for receiving financially rewarding and reputation-boosting government contracts.
