The US Department of Defense requires that contractors who handle or store Controlled Unclassified Information (CUI) develop a System Security Plan (SSP), complete a NIST 800-171 self-assessment, report their score, and create a plan to correct any gaps.
To report your compliance score, you need to complete a self-assessment of your cybersecurity systems in accordance with the NIST 800-171 Assessment Guidelines.
» LEARN MORE: Here's All You Need To Know About NIST 800-171 Compliance Requirements (+ Next Steps)
This process can be extensive and may require support from a cybersecurity professional or consultant. Here is a comprehensive guide to help you through the self-assessment.
Note: If you haven’t created a System Security Plan (SSP) for your organization, start with our NIST 800-171 Compliance Checklist, it includes all information necessary.
Step #1 of Self-Assessment: Get a CAGE code
A Commercial and Government Entity (CAGE) code is a five-digit alphanumeric number that is used to identify a commercial or government entity.
You will need this code throughout the NIST 800-171 assessment process.
Before you start on your self-assessment, you should apply for a CAGE code from the Defense Logistics Agency (DLA). If your organization has other government contracts, you likely already have a CAGE code and can skip this step.
Organizations outside of the United States and its territories need to apply for a NATO Cage (NCAGE) code which works just like a CAGE code.
Step #2 of Self-Assessment: Get an ECA Certificate
If you do not have a Common Access Card (CAC) card, you will need to secure an External Certification Authority (ECA) certificate.
This certificate is a digital credential that is used to confirm a person’s identity and company affiliation. The government uses this to ensure that only authorized people are accessing DoD information systems.
These credentials cannot be shared, so each individual from your organization who will be accessing the DoD systems will need to apply for their own ECA certificate.
The DoD has two approved suppliers who provide ECA certificates - Operational Research Consultants, Inc. (ORC) and IdenTrust, Inc.
The cost and process for securing an ECA certificate are the same for both. The process can take several weeks, so be sure to work on this early to avoid any delays.
The ECA certificate is not a physical document. It will be provided to you in software form to be stored on your computer hard drive, smart card, or USB security token.
Step #3 of Self-Assessment: Understand The NIST 800-171 Scoring System
There are 110 different controls that are built into NIST 800-171 guidelines and reviewed as a part of the assessment process. The maximum possible assessment score is 110.
Some security controls are more critical than others.
For this reason, each control is weighted differently and worth 1, 3, or 5 points.
The weighting for each control is outlined in Annex A of the NIST 800-171 Assessment Methodology. If any controls are insufficient or non-compliant with NIST 800-171 standards, the entire score for that control is subtracted from the starting score of 110.
Not having a System Security Plan (SSP) in place is an automatic failure.
Step #4 of Self-Assessment: Conduct The Assessment
To complete your self-assessment, you should compare your existing SSP to the security requirements outlined in NIST Special Publication 800-171A. This document provides clear guidelines for the examination and assessment of each of the 110 security controls.
The security controls are grouped into 14 categories (called CUI Security Requirement Families). During the assessment process, it is recommended that you focus on one family at a time. This will help ensure that your review is focused and thorough.
For example, Access Control is one family made up of 22 individual security controls. Once you have completed a review of this family, move on to the next.
NIST Special Publication 800-171A provides a chart for each security control.
This chart provides a breakdown of the assessment objectives.
Go through each objective list to ensure that you have addressed each.
There are three steps to the assessment process - examine, interview, and test. You should complete each step to validate that there are no potential security risks or gaps.
- Examine (Table D-1) - This is a review of your written documentation such as policies, procedures, and security requirements.
- Interview (Table D-2) - This process includes evaluating your security procedures through discussions with personnel. The goal is to evaluate if they understand their role, to provide clarity, and identify weaknesses from their point of view.
- Test (Table D-3) - Confirm that all of your security safeguards are operating as intended through testing of the systems and processes.
Compare the test results to the anticipated outcomes.
If the controls didn’t work as intended, you will need to address those gaps.
Step #5 of Self-Assessment: Set Up an SPRS Access Workstation
You'll need to access the Supplier Performance Risk System (SPRS) through the Procurement Integrated Enterprise Environment (PIEE).
Because of cybersecurity concerns, the workstation that you use to access PIEE must meet a rigid set of requirements. Make sure to go through them prior to proceeding.
These requirements include hardware and software requirements, downloading an application to read and validate your government credentials, and other security settings.
Step #6 of Self-Assessment: Report Your Score Through SPRS
Once you have calculated your self-assessment score, you will need to report this to the DoD through the Supplier Performance Risk System (SPRS).
- Register with PIEE using your CAGE code (registration instructions).
- Designate your Contractor Administrator (CAM). This step only applies if the person submitting your SPRS self-assessment is someone other than the Electronic Business Point of Contact (EB POC) registered for your organization in SAM.gov. This change can only be authorized by your EB POC through a CAM Appointment Letter.
- Enter your assessment score into the SPRS by following the NIST SP 800-171 Quick Entry Guide.
Follow these steps closely as any mishap along the way can lead to problems down the line. Keep all the documentation and steps taken tracked in a spreadsheet.
Alternative To Step #6: Manually Submit Your Self-Assessment Score
If you are having difficulty with the SPRS site, it is possible to submit your NIST 800-171 self-assessment score manually by email.
- Send an email to firstname.lastname@example.org to request a signed/encrypted email.
- Receive the signed/encrypted email from SPRS support.
- Use the provided key to encrypt your information and return the self-assessment score and other required information to SPRS support via email.
- SPRS support will record the score in the database.
Although we recommend to go through with the site because of convenience, you may find yourself in a position where simply emailing is a better choice.
Understanding NIST 800-171 Assessment Levels
There are three levels to NIST 800-171 scoring - basic, medium, and high. Reporting your self-assessed NIST 800-171 score is considered a basic (or low confidence) assessment score. This demonstrates that you have gone through the self-assessment process.
Depending on the type of work that your organization conducts or the level of access to CUI, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) may request a higher level evaluation. The Defense Contractor Management Agency (DCMA) will be conducting a limited number of these each year.
- Medium Confidence Assessment - This level of assessment consists of a thorough review of your System Security Plan (SSP) by specially trained cybersecurity personnel from the DoD’s Program Management Office.
- High Confidence Assessment - If selected for a high confidence assessment, you will be given 30 days’ notice to prepare. This level of assessment is conducted through on-site or virtual review of the implementation of the SSP. This review is extensive and contractors must be able to demonstrate or provide evidence to the assessor that system safeguards are in place and working as intended.
The scoring methodology for both the medium and high confidence assessments is the same as the contractor self-assessment.
Once the assessment is complete, your new score will be updated in SPRS.
Maintain Your NIST 800-171 Compliance & Prepare for the Next Self-Assessment
Reporting your NIST 800-171 compliance score is just the beginning.
Unless your organization has a world-class cybersecurity team and program, it is unlikely that you received a perfect score of 110 points on the assessment.
You should work to improve or correct any deficiencies identified during the assessment.
Also, the self-assessment process must be completed at least every three years. You must keep your SSP up-to-date to address emerging threats or new technologies.
A proactive approach will ensure that you remain NIST 800-171 compliant and prepared for the next assessment.
Because the self-assessment and reporting process can be challenging and confusing, getting started early and engaging a professional will help make it much easier.