CMMC continues to evolve in 2021, and more DoD government contractors are beginning to test their IT systems against the latest scoring metrics, as per DoD's new Interim Rule. If you haven’t tested your IT infrastructure and submitted your score, you need to get started!
All DoD contractors need to submit a self-assessment based on NIST SP 800-171 to the DoD's SPRS before they can even be considered eligible for any contract award.
In order to help you achieve the highest score possible on this assessment, which ultimately will help you improve your CMMC readiness, we've created a video tutorial and also transcribed it for you below.
We'll cover the DoD assessment methodology, how to calculate your potential score, and most importantly, how to earn more points to help with your upcoming CMMC assessment!
TABLE OF CONTENTS
Watch the full video:
"How to Achieve a Higher 800-171 Score To Help With Your Upcoming CMMC Assessment"
CMMC Timeline - Where Are We Now?
As of right now, up to 100 provisional assessors have been trained. There are no currently approved C3PAOs. More information about these can be found on the CMMC accreditation body’s website.
It looks like only companies that are bidding affected contracts can engage assessors for 2021. General training and assessments are not yet available.
Presumably, after the training is updated and the first round of assessments have been completed, these broader offerings will become available.
DoD Assessment Methodology
As you know, the Department of Defense (DoD) released an Interim Rule on September 29, 2020 that address DoD’s increased requirements for assessing whether contractors are compliant with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).
Under this new Interim Rule, DoD offerors must have a current assessment on file with DoD to document their compliance with NIST 800-171 before they can be eligible to be considered for any contract award.
The Interim Rule specifically requires contractors to ensure that a summary score from an assessment conducted under DoD’s NIST 800-171 Assessment Methodology is submitted into a DoD enterprise application called the Supplier Performance Risk System (SPRS).
Scroll down to see more information on the SPRS!
Version 1.2.1 of the NIST SP 800-171 DoD Assessment Methodology consists of three levels, basic, medium, and high.
- Basic – This is an internally completed process, allowing you to score your self-assessed System Security Plan (SSP).
- Medium - The DoD will take your SSP and POAM and score them accordingly.
- High – The DoD will come on-site to do an in-depth assessment and score. I believe there will be some sort of reciprocity for this assessment for CMMC level three, but nothing official has been announced.
The medium and high assessments are completed by assessors trained by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) at Ft. Lee. They will be coming out of the DCMA, DCAA, DCSA, since all three of those agencies have some statutory authority.
In the assessment methodology, 109 of the 110 controls are scored, and as it implies, it’s only the 800-171 controls. Control 3.12.4, which says you need a system security plan and a POAM, has no point value.
IMPORTANT: There is a note directly from the assessment methodology which you should be aware of.
“The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’”
DoD has been making a lot of noise about contractors that aren’t in compliance with DFARS because they don’t have an SSP.
If you haven't done this yet, you are a long way from CMMC Level 3 compliance!
How to Calculate Your Potential NIST 800-171 Score
The controls themselves are each worth one, three, or five points. There is no partial credit, except for 3.5.3 which involves using multi-factor authentication in all of the places it’s required, and 3.13.11 which covers using FIPS encryption everywhere it’s needed.
Every company begins at 110 points.
With 110 controls and point values that are one, three, or five, you can very quickly end up with a negative score! The full point range is -203 to a perfect score of 110.
One thing to note regarding medium and high assessments; the max score for a virtual assessment is reduced from 110 to 100. This is because the DoD cannot independently verify the physical controls.
What You Need to Know About DoD's Supplier Performance Risk Systems (SPRS)
SPRS is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD acquisition community, to use in identifying, assessing, and monitoring unclassified performance.
Right now, in SPRS, you load your total score (not individual items) along with a date that you project to have all of your security gaps closed and will have a perfect score.
I believe you will see SSP and POAM upload requirements added shortly. In my opinion, you should update your score as you close items and update your POAM.
That being said, don’t update the score daily or make large changes (such as a 20 to a 95 overnight). You don’t want to attract attention to your company.
In reality, your plan to reach a perfect score should be completed within 9 to 12 months.
DoD will select companies for medium and high assessments based on perceived program risk. This could come from the nature of the work you’re doing, or simply from a bad score.
Remember, all of this is happening while CMMC rolls out over the next five years.
What's a Realistic First 800-171 Score?
If you’re a reasonably well-structured company and you’ve gone out of your way to spend time and money on DFARS-7012 compliance, you should probably expect to receive somewhere from a 75-90. Maybe even higher.
You probably have some FIPS validated encryption, some MFA policies and procedures you still need to finalize, but overall, you’re in pretty good shape.
If you’re implemented some technology but have been a little informal on the policy side, you’re probably going to find yourself in the 30-65 range. This doesn’t mean you’re doing things badly; it just means that you definitely have room for improvement.
Maybe you have one overworked IT employee. Maybe you haven’t deployed a lot of technology. If this is the case, you’re going to have a pretty low score of 25-0.
If you’ve largely ignored the compliance requirements, or maybe you have an SSP but you’ve largely ignored the compliance issues, you will be around a -40.
Lastly, if you’re running a shop with no vulnerability patching, no monitoring, no active directory structure running…you’re going to be a -150 right off the bat.
There are a few more important things regarding CMMC and assessment scores that I should mention.
First of all, there is no announced pass or fail score. Also, there is nothing available saying how your score will be used.
Acquisition officials, to the best of my knowledge, are being told to retrieve the score as part of the award process and the overall risk assessment.
Another crucial point: DO NOT INFLATE YOUR SCORE.
Obviously, you want to cast yourself in the best light, but any gray area is going to get you in trouble. Instead, go after the low hanging fruit, get your score up, and make a concerted effort to fix what you can.
From the DoD’s perspective, you’ve been certifying that you’re doing all of these things for the last three to five years anyway!
How To Earn More Points on 800-171 To Ultimately Help With Your CMMC Assessment
Simply by implementing basic training requirements on phishing and security awareness, you can pick up a few points.
Training people with elevated privileges is another quick and easy way to pick up 11 or so points for minimal time and expense.
As an example, Ntiva charges a maximum of $3.50 per user/month for this very thing, so not an expensive investment.
Log retention and analysis can jump your score roughly 30 points, but it will cost a bit more and the points involved are harder to earn.
The easiest way to do this is by implementing a 3rd party SIEM.
You don’t want to have explicit control of these logs, as this can cause suspicion since someone internally could have access and change the logs as needed.
Again, don’t be put off by the cost! Aside from CMMC compliance, it will have a HUGE impact on your cyber defense which is critical for your business.
The final option is to develop the CUI control plan.
This will score you another 30 or so points. While there is a direct CMMC requirement for this, it also covers many controls that may be otherwise implemented.
For example, you have CUI flow, CUI controls, and CUI access requirements sprinkled throughout 800-171, so even if you have strong technical controls in place, this is one area you can get everything into one section.
So pick up those 30 points and address some of your other controls at the same time!
Do You Need Help with NIST or CMMC?
Maybe you don’t even have an SSP or POAM yet. If you do not, the best option at this point would be to work with a CMMC consultant, preferably someone from a Managed IT Service Provider (MSP) who specializes in this area and who can provide ongoing support.
While there is no turnkey compliant solution, and every company is different, an MSP can help your specific organization meet the requirements to reach that perfect score - and help keep you compliant moving forward.
We’ve already seen that small to medium sized businesses will absolutely save money by outsourcing their CMMC needs, as opposed to trying to meet CMMC compliance entirely in-house.
One last point. Don’t forget, while CMMC and NIST 800-171 are IT-centric, they also require the involvement of your exec team, HR, contractors, and facilities managers!
If you need help, reach out to us below to sign up for your complimentary risk assessment and gap analysis with a certified CMMC RPO, and let’s get you on the road to that 110 score!