DoD to DIB – Let’s See Your NIST 800-171 Score
Have you been working on closing out your POA&Ms? If not, pay attention.
Since its arrival in 2017, the DoD has been frustrated with its inability to verify contractor compliance with NIST 800-171. Self-attestation, perpetual POA&Ms, and no risk of audits have provided little incentive to fully implement all 110 requirements of the framework, and everyone knows it.
In an unexpected act of bluff calling, the DoD has changed the rules again. Starting November 30, 2020, contractors and their subs will need to have a score representing their NIST 800-171 progress published in a federal database before contract award. Plus, the score needs to be accompanied by a date in which all requirements will be implemented. Gulp.
This change is embedded in a DFARS update being referred to as the CMMC Interim Rule. This is the DFARS mod that gives contractual teeth to CMMC and describes its five-year rollout.
NIST 800-171 Impact
Ok, a couple of things here that you’ll need to know about.
There’s a vendor report card system maintained by the government called the Supplier Performance Risk System (SPRS). The government will check this database to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”.
This “Assessment” refers to a score generated by performing a specific review of your 800-171 implementation as documented in your System Security Plan. “The NIST SP 800-171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012.“
Let’s pause here and point out something pretty important. You need to have a System Security Plan to perform this assessment. Seriously. The methodology contains this statement:
“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.”
– NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4
Don’t get caught lying about this one. You’ve got the whole False Claims Act thing to deal with now that you’re representing your progress to the government. If you still need an SSP, we can help.
Right. Now you’ve got your 800-171 score, and you need to actually get that score into the SPRS. “If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to email@example.com”. Details regarding what needs to be included in addition to the score (e.g. CAGE code) are found in the Interim Rule.
If you’re looking to save yourself an 89-page read and hours of work,
you can use our 800-171 Scoring Methodology Tool for free.
It also provides an email template with your results to submit to the DoD.
The interim rule has also brought about the long-anticipated CMMC clause: DFARS 252.204-7021.
The DoD is implementing a phased rollout of CMMC. Specific contracts (not all of them) will require offerors to achieve a specific CMMC Level. This won’t happen overnight. But, starting on or after October 1, 2025, CMMC will apply to ALL DoD solicitations and contracts.
What does this mean?
Well, CMMC is going to take time (at least 5 years’ time) to roll out to the entire defense industry. They will slowly start to trickle the CMMC clause into specific, selected contracts over the next 5 years. But starting in October of 2025 you can expect to see the CMMC clause in each contract from DoD.
So, while CMMC is absolutely headed this way, we still have roughly five years of NIST 800-171. Time to get that 800-171 SSP up-to-date and those CMMC practices implemented.