The Defense Pricing and Contracting arm of the Department of Defense has announced the inclusion of the NIST SP 800-171 DoD Assessment in the Supplier Performance Risk System (SPRS) here.

This DoD assessment is meant to fill the gap from TODAY until the full implementation of the Cybersecurity Maturity Model Certification (CMMC) audits, which they expect to take up to five years to full roll-out. But they recognize the threats to the supply chain are here now, and are asking contractors to be ready for assessment by the DoD in the near future.

Three assessment types

• Basic: This is a self-assessment conducted by the organization.
• Medium: Also, a self-assessment, but the DoD will review the Security Plan submitted by the organization for completeness and sufficiency of controls.
• High: A full audit of compliance. This may take place onsite or virtually due to COVID-19 travel restrictions.

The DoD has also released a scoring rubric for the NIST 800-171 assessment. Each organization will start with a score of 110, 1 point for each control in the NIST 800-171 framework, and subtract 5,3, or 1 point for gaps in compliance.

We Can Help

The CMMC Security Catapult was pre-programmed with the NIST 800-171 controls mappings. We have added the scoring rubric to be used by the DoD. The Catapult will walk you through the questions and auditor will ask for each practice, and when you are done you will have:

• Your current score for submission to the SPRS.
• Documentation of how you meet each control.
• Documented remediation for each non-compliance control.
• A custom security policy.
• A custom security plan (a requirement for submission with your SPRS score).