September 8, 2021
Good morning, everyone!
Increased pressure and rampant confusion: NIST 800-171 Self Assessment & SPRS
In the past few weeks, I have encountered many defense contractors and suppliers starting to feel a lot of pressure from primes with respect to NIST 800-171 compliance (due to the interim rule, DFARS 252.204-7019/7020), and rampant confusion about what exactly this means.
I know that many organizations in the DIB are putting off their CMMC preparations, because they think (or hope) it’s going to go away (hint: it isn’t) or that the requirements will be radically changed (hint: they won’t, not radically, at least not for those that handle CUI or export-controlled data).
Regardless of your current stance on CMMC, if you handle CUI, you already have cyber security requirements that you must meet, which pre-date CMMC and which are the current focus of a lot of push from the DoD, and that push is flowing down to subcontractors.
The pressure is on
One large prime contractor is now requiring all subs to fully implement the 31 Basic Controls of NIST 800-171 before receiving any more orders (POAMs no longer allowed on these controls).
Another prime contractor is cutting off subs from receiving electronic CUI if they haven’t updated their expired POAM.
A third prime contractor recently visited a sub for an onsite inspection to see evidence of fully implemented controls, while a fourth prime contractor has reportedly hired additional IT security staff to begin doing onsite inspections.
Yet another prime contractor is requiring all subs to send a screen capture of their self-assessment score as recorded in the SPRS database.
The Defense Logistics Agency (DLA) now requires a self-assessment score recorded in SPRS in order to renew existing DD Form 2345.
Get the jump on your competitors
Businesses that do not continue moving forward to full compliance with NIST 800-171 are going to start losing business. It is happening already. The faster you move towards compliance, the better your chances of getting new orders that might otherwise have gone to a competitor (who isn’t moving as quickly as you on the compliance front).
Rampant confusion: self assessment considerations you may not be aware of
Aside from the pressure, we are encountering rampant confusion about how to score a self assessment. There are five main points that are often missed, presumably because people aren't consulting the authoritative sources, namely the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020 (I call this “the Methodology”), and NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information.
(1) You literally cannot self-assess 800-171 for SPRS if you don’t have a current system security plan (SSP). The Methodology states, in section 5(g)
i) Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’
If you have recorded a self-assessment score in SPRS and you don’t have an SSP, you need to write one now. If you have an SSP but it isn't current, you should update it right away. The SSP should match your self-assessment.
(2) The Methodology is a weighted score. Many people assume that each control is worth one point, but this isn't true. Using the Methodology, you begin with a perfect score of 110 and subtract points for each control not fully implemented. Some controls are worth one point, but many are worth 3 or 5 points. It is not unusual for early self assessment scores to be a negative number! The worst possible score is -203, and scores in the -100+ range are quite common. So don't despair -- record an honest score and get to work closing those POAMs.
(3) A POAM is also required, but you don’t earn points for POAMs. The Methodology states in section 5(g)
ii) Plans of action addressing unimplemented security requirements are not a
substitute for a completed requirement. Security requirements not
implemented, whether a plan of action is in place or not, will be assessed as ‘not
iii) A lack of plan of action for unimplemented security requirements will result in Security Requirement 3.12.2 being assessed as ‘not implemented.’
So this one is a bit of a double-whammy: Not only do you not get to keep any points for having a POAM for incomplete implementations, you will lose 3 points for 3.12.2 if you don’t have a POAM for every control not fully implemented.
(4) (Almost) no partial points. With two exceptions, any control not fully implemented loses all the points for that control. The two exceptions are Multi-Factor Authentication (3.5.3) and FIPS validated encryption (3.13.11).
(5) ”Fully implemented” means meeting the intent of every single Assessment Objective (AO). In a recent edition of this newsletter, “Understanding the CMMC assessment guides,” I discussed AOs, and I even wrote Heads-up: This section is very important. It is critical to understand that a control is only “Fully Implemented” if every single AO for that control is met. I have seen many inflated self assessment scores due to not reading the assessment guide, not knowing about or understanding the AOs, and scoring a control as “Fully Implemented” when only some of the AOs have been met.
This is by no means an exhaustive list of points of confusion, but these are what I consider the most common and critical misunderstandings resulting in incorrect self-assessment scores.
For now, I would say “Go forth, update that SSP and POAM, recalculate your self-assessment score and update SPRS as needed.”
P.S. – Need help? I’m just an email or phone call away!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Glenda R. Snodgrass
The Net Effect, LLC
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!