A Complete NIST Guide
NIST SP 800-171 Scoring Methodology
In June 2020, the National Institute of Standards and Technology (NIST) released a Special Publication (SP) supporting the Department of Defense (DoD) supply chain cybersecurity maturity model. NIST SP 800-171 “DoD Assessment Methodology” Version 1.2.1 (Scoring Methodology) offering a way to assess a contractor’s NIST 800-171 implementation strategically. Additionally, as of November 30, 2020, many contractors throughout the Defense Industrial Base (DIB) need to engage in a self-assessment and submit the results to the DoD.
Meanwhile, organizations who are part of the DIB supply chain also need to determine their Cybersecurity Maturity Model Certification (CMMC) level and possible compliance gaps they need to remediate. As the DoD continues to enhance security throughout its supply stream, companies of all sizes need to know their responsibilities and establish strategies for meeting new compliance requirements.
QUESTIONS This article will answer the following questions:
What is the Interim Rule?
On September 20, 2020, the Defense Acquisition Regulations System (DFARS) released “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)” (the Interim Rule). The Interim Rule supports the DoD’s decision to standardize cybersecurity practices within the DIB supply chain, noting:
DOD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
Further, the Interim Rule’s “Background” section explains that the rule implements the NIST SP 800-171 assessment methodology and framework to assess contractor cybersecurity implementation as well as CMMC.
The Interim Rule and NIST 800-171 DoD Assessment Methodology
As part of this implementation, companies need to have a current, defined as less than three years old, NIST SP 800-171 DoD Assessment on record to be considered for a contract award. Companies must complete assessments for each covered contractor information system relevant to the offer, contract, task order, or delivery order. Once completed, contractors upload the assessment to the Supplier Performance Risk System (SPRS).
The contracting officer needs to include the NOtice of NIST SP 800-171 Assessment Requirements in solicitations and contracts unless the solicitations are solely for commercially available off-the-shelf (COTS) items.
The Interim Rule and CMMC Compliance
As part of implementing the Interim Rule, companies managing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) need to work towards meeting CMMC compliance. The Interim Rule notes, “The NIST SP 800-171 DoD Assessment and CMMC assessments will not duplicate efforts from each assessment, or any other DoD assessment.” This statement implies that organizations needing to certify at CMMC Levels 3 or above can incorporate their Scoring Methodology self-assessment as part of that process.
The Interim Rule also makes contractors responsible for “information flow down to its subcontractors in a multi-tier supply chain.” This statement places the governance burden on contractors who need to ensure that their subcontractors obtain and maintain the appropriate CMMC Level certification.
Finally, the Interim Rule adds a new DFARS subpart, Subpart 204.75 that directs contracting officers to verify offerors’ and contractors’ CMMC certification in SPRS.
What is the NIST SP 800-171 DoD Assessment Methodology?
The Scoring Methodology document outlines why the DoD requires assessments and how the scoring works.
Strategic Assessment of Contractor Implementation
The DoD plans to use the Assessments for current and future contracts that include DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” With the Scoring Methodology, NIST seeks to establish standard metrics for assessing contractors’ implementation of SP 800-171 and not to add any additional requirements. The DoD will apply this Scoring Methodology to its prime contractors and strongly suggests that Primes can use it to assess their subcontractors.
Levels of Assessment
As part of the strategic approach to managing DIB supply chain risk, the DoD established three assessment levels based on review depth and confidence level to streamline audits and reviews.
Using the system security plans associated with covered contractor information systems, organizations need to engage in self-assessments documenting their current implementation. The summary level scores need to be documented and uploaded to the DoD system. However, these scores have a “Low” confidence because they are self-generated and lack DoD verification.
DoD personnel, primarily Program Management Office (PMO) cybersecurity personnel, trained in the appropriate policies and procedures conduct Medium Assessments. The DoD personnel review the system security plan requirement descriptions to ensure they adequately address the security requirements. Because Medium Assessments do not incorporate documentation, they provide a Medium confidence level.
Although On-Site High Assessments are the preferred method, the DoD recognizes the health risks related to the continuing COVID-19 pandemic, which is why it also offers a virtual option. Trained DoD personnel conduct High Assessments, requiring contractors to provide evidence or demonstration of their system security plan and its implementation. Examples of evidence include:
- Recent scanning results
- System inventories
- Configuration baselines
- Demonstration of multifactor authentication
However, contractors need to submit a Basic Assessment first. The High Assessment is primarily an audit check consisting of document review and discussion to validate the Basic Assessment responses.
How does the NIST SP 800-171 Scoring Methodology Work?
Under NIST’s Scoring Methodology, organizations need to achieve a score of 110 points out of a possible 110 points. However, instead of building from zero and giving points for each necessary control, NIST subtracts points from 110 for each control that an organization lacks.
Types of Security Requirements
NIST 800-171 Scoring Methodology references NIST SP 800-171 to define security requirement types.
NIST SP 800-171 notes that protecting CUI means establishing Basic Security Requirements as outlined in the Federal Information Protection Standard (FIPS) Publication 200. The controls considered Basic Security Requirements are the same as the minimum security requirements listed in FIPS 200. NIST SP 800-171 notes that these requirements provide “the high-level and fundamental security requirements for federal information and systems.”
Derived Security Requirements supplement the Basic Security Requirements and come from security controls listed in NIST SP 800-53. NIST 800-53 notes:
derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements
associated with such capabilities, functions, and mechanisms include degree of correctness, completeness,
resistance to tampering or bypass, and resistance to direct attack.
Derived Security Requirements act as controls that support the effectiveness of the Basic Security Requirements.
In keeping with the Cybersecurity Maturity Model Certification (CMMC) process, the Scoring Methodology is not a risk assessment but establishes an implementation status assessment. In other words, the NIST Scoring Methodology calculates the completeness of a contractor’s NIST 800-171 implementation. Additionally, the Scoring Methodology only counts partial implementation in a few cases. Thus, organizations need to completely implement all 110 security controls to achieve a score of 110.
Since organizations need to implement all 110 security controls, the Scoring Methodology subtracts points for unimplemented controls rather than awarding points per control implemented.For example, all organizations start with a score of 110. Assume that a company lacks a control valued at 1 point. The Scoring Methodology detracts that point from 110, assigning the company a score of 109.
NIST explains that it does not prioritize any of the security controls listed but does believe some controls have a more significant impact than others. As such, NIST established a “weighted” value for each security requirement.
5 Point Security Requirements
“Basic Security Requirements” have a value of 5 points. These requirements are considered high-level requirements that, if not implemented, can render their “Derived Security Requirements” ineffective. Additionally, a subset of “Derived Security Requirements” also has a value of 5 points because the Basic Security Requirement they support needs them to prevent a cybercriminal from undermining them.
23 Basic Security Requirements have a 5 point value:
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Identify system users, processes acting on behalf of users, and devices.
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Sanitize or destroy system media containing CUI before disposal or release for reuse.
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
Protect and monitor the physical facility and support infrastructure for organizational systems.
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Identify, report, and correct system flaws in a timely manner.
Provide protection from malicious code at designated locations within organizational systems.
Monitor system security alerts and advisories and take action in response.