NIST Risk Assessment Methodology
The United States Department of Defense (DoD) created the National Institute of Standards and Technology (NIST) assessment methodology to better assess the compliance of contractors with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements.
The latest update to the Department of Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7102) was published in 2016, which applies to DoD contractors who process Controlled Unclassified Information (CUI).
These contractors must demonstrate that they can provide adequate security for the CUI under their control throughout the system development life cycle.
DFARS 252.204-7012 specifies the controls listed in the NIST SP 800-171 entitled Protecting Controlled Unclassified Information in Non-federal Systems and Organizations. These controls are a set of safeguards that provide adequate security for CUI.
However, DFARS doesn’t provide a means of holding contractors accountable for meeting NIST 800-171 requirements. Contractors who signed a DoD contract initially needed only to attest that they had performed a self-assessment to ensure they had a plan to implement these requirements. It wasn’t until 2019 that the DoD got serious about conducting objective qualitative and quantitative assessments of the security profile of its contractors.
If you need to meet DFARS compliance guidelines, you must implement all of the NIST 800-171 controls to avoid business impact.
Risk Management Framework
The DoD released version 1.0 of its NIST 800-171 Assessment Methodology on November 7th, 2019. Version 1.2.1 is the current version, which was released on June 10, 2020. Contractors first anticipated such a risk assessment methodology in January 2019, when Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment, tasked the Defense Contract Management Agency (DCMA) with auditing the compliance of DoD contractors with the requirements of NIST 800-171.
DCMA and the Defense Counterintelligence and Security Agency (DCSA) conducted a pilot program during the first half of 2019 to assess the compliance of at least a dozen prime DoD contractors. This security program resulted in the development of the current methodology, which contractors use as the standard for risk level assessment and to prepare them for upcoming DCMA/DCSA audits.
It’s important to note that the assessment only measures the extent to which the company has implemented NIST 800-171 requirements. It doesn’t evaluate the specific approach that the contractor uses to implement those regulatory requirements within its operational environment. All solutions that provide the required functionality are equally acceptable in this risk model.
NIST SP 800-171 DoD Assessment Methodology
The NIST SP 800-171 DoD Assessment Methodology enables DoD to strategically assess a contractor’s baseline control implementation of NIST 800-171 on existing contracts, using the NIST SP 800-171A assessment guide. It includes DFARS clause 252.204-7012, and the summary scores of the strategic risk determination that the DoD completes will reflect these components. NIST 800-171 describes its security requirements in section 3.
The NIST 800-171 assessment methodology provides a more practical approach to identifying residual risk than performing a separate risk assessment process on the identified risks of each contract.
Scoring
Contractors must obtain a Commercial and Government Entity (CAGE) code from the Defense Logistics Agency (DLA) to perform business functions with the U.S. federal government and submit a NIST SP 800-171 assessment. This identifier consists of five alphanumeric characters that support a variety of procurement processes, which they must submit to the Supplier Performance Risk System (SPRS). Direct DoD contractors should already have a CAGE code, but those further down the supply chain may need to acquire one.
Contractors outside the U.S. and its territories can acquire a NATO CAGE (NCAGE) code, which serves the same purpose. Each CAGE code must be tied to an IT System Security Plan (SSP) outlining the contractor’s risk management process.
The maximum score that an SSP can receive is 110 points, which is the number of security controls described in NIST 800-171. Each of these controls has a weighted value that’s subtracted from the starting score of 110 if the contractor doesn’t have the control implemented and has the supporting documentation such as policy and procedure for each control.
The value of each control is either one, three, or five points, with the lowest possible score being -203. This characterization of weighted values reflects the criticality and potential impact of each security control on the information system and the data it creates, stores, and processes.
Forty-two of the controls are each worth five points, which include the 17 safeguards that all federal contractors need as described in FAR Clause 52.204-21. There are also 25 other controls worth five points since they allow a network and its data to be exploited. Fourteen controls are worth three points each because they have specific effects on the security of networks and their data, and another 52 controls are worth one point each. The remaining two controls include multi-factor authentication (MFA) and Federal Information Processing Standards (FIPS)-validated cryptography, which is worth three or five points, depending on the SSP’s level of noncompliance for these controls for protecting sensitive information technology assets.
Section 3.5.3 of NIST SP 800-171 is the requirement for multi-factor authentication, which includes local and network access to privileged accounts as well as network access to non-privileged accounts. This requirement is worth five points, which must be deducted if the contractor doesn’t implement MFA on any operating system. It’s worth three points if MFA is implemented for remote and privileged users, but not general users.
Section 3.5.3 is the requirement to employ FIPS-validated cryptography when used to protect the confidentiality of CUI. This requirement is worth five points if the contractor has tested and validated the cryptography to meet FIPS 140-1 or-2 requirements.
No score is possible if the contractor doesn’t have an SSP at all. The SSP’s final score is the resulting number after subtracting the values for all of the non-complying controls from 110. Only DoD personnel can view a contractor’s scores after they’ve been submitted to the SPRS.
Contractors with SSPs that receive a score of less than 110 should determine when their SSPs will be fully compliant with a perfect score of 110. This date will essentially be when the contractor’s Plan of Actions and Milestones (POAM) is fully executed.
NIST SP 800-171 methodology Scoring Template
Cybersecurity companies like Beryllium InfoSec Collaborative have developed templates that allow contractors to score themselves according to the NIST SP 800-171 methodology. This template translates the original wording of the 110 controls for this methodology into common language.
Each item requires the contractor to answer at least one “Yes” or “No” question, such that a “Yes” answer indicates the contractor is compliant. While a “No” answer means the contractor isn’t compliant. For each “No” answer, subtract the appropriate number of points from the initial score of 110. The contracting officer or prime contractor will receive this score as part of the assessment results.
The results of this impact analysis will also include the level of confidence for the assessment as described by the DoD 800-171 Assessment Methodology. This document describes three confidence levels, consisting of low, medium, and high. An assessment result from a contractor performing a self-assessment of its own SSP using the 800-171 methodology has a low level of confidence. A DoD review of the contractor’s SSP that uses this methodology has a medium level of confidence. An on-site DoD review of the SSP that uses the A/B assessment techniques described in NIST 800-171 has a high level of confidence.
Results Format
Once contractors have completed the assessment against threat sources, they’ll need to document the results and send them to webptsmh@navy.mil in an encrypted format.
This risk assessment report must include the cybersecurity standard the contractor used, which is currently NIST SP 800-171 Rev 2. It will also need to specify the organization that conducted the assessment, which could be the contractor or a third party.
In the case of a self-assessment, contractors need to provide their CAGE codes. The contractor must also map each CAGE code to its appropriate SSP.
Contractors also need to provide the assessment’s scope in the results document. This includes the identification of each SSP as described by security requirement 3.12.4 in NIST 800-171.
The contractor may also need to provide a brief description of each SSP if it has more than one.
Additional required items in the results document include the date the assessment was completed.
The summary score is also needed, but not the individual values of each control. If the summary score is less than 110, the contractor must also provide a date when it expects full compliance based on the information in the SSP.
Do You Need to Be DFARS 252.204-7012 Compliant?
Beryllium’s expertise in providing NIST information and guidance on organizational risk extends to businesses of all sizes, from small to medium businesses (SMBs) to enterprise organizations. We build customized, cost-effective security solutions that prepare our clients for compliance and certification for Cybersecurity Maturity Model Certification (CMMC). We also help stakeholders test their current information security risk while building new networks that use the latest risk mitigation techniques. We also offer cyber security training and education around topics like insider threats for clients whose business processes are affected by NIST 800-171 controls.
Do you need to be DFARS 252.204-7012 compliant? Contact us today to learn more about how to implement NIST 800-171 controls so that you can avoid fines and maintain your eligibility for future DoD contracts.