NIST SP 800–171 DoD Assessment Methodology

DFARS clause 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is included in all solicitations and contracts, including those using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions solely for commercially available off- the-shelf (COTS) items.

The clause requires contractors to apply the security requirements of NIST SP 800– 171 to ‘‘covered contractor information systems,’’ as defined in the clause, that are not part of an IT service or system operated on behalf of the Government. The NIST SP 800–171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204–7012.

The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800–171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) at https://www.sprs.csd.disa.mil/ to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

More information on the NIST SP 800–171 DoD Assessment Methodology is available at https://www.acq.osd.mil/ dpap/pdi/cyber/strategically_assessing_ contractor_implementation_of_NIST_ SP_800-171.html.

SERVICES

We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want.

GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

SHARE THIS POST

Leave a Comment

Your email address will not be published. Required fields are marked *