NIST 800-171 Scoring – Not a Game, But High Stakes
On November 30, 2020, an Interim Rule took effect that impacts all participants in the Department of Defense (DoD) supply chain. The Interim Rule adds 3 new clauses to the Defense Federal Acquisition Regulation Supplement (DFARS) that strengthen enforcement of cybersecurity requirements defined within Special Publication 800-171 from the National Institute of Standards and Technology (NIST 800-171), and build the bridge to the next generation Cybersecurity Maturity Model Certification (CMMC) framework.
The Interim Rule
Prior to the Interim Rule, DFARS clauses mandated that members of the Defense Industrial Base (DIB) that store or handle Controlled Unclassified Information (CUI) must self-assess and self-attest to their compliance with the 110 security controls identified within NIST 800-171. With little follow-up or enforcement by the DoD, companies lacked incentive to grade themselves strictly, and the results showed with the continued exfiltration of CUI – compromising sensitive data, intellectual property, and U.S. national security.
The Interim Rule attempts to rectify these shortcomings by upping the ante on NIST 800-171 compliance reporting. From November 30th onward, all teammates bidding on new or renewed DoD contracts must score themselves for adherence with each of the 110 security controls by conducting what the DoD calls a Basic Assessment. Companies then must convey their total score on the DoD’s Supplier Performance Risk System (SPRS). Simply put, no score on SPRS, no contract.
Score Reporting in SPRS
In order to accurately determine their score, all members of the DIB truly must understand the nuances of each NIST 800-171 security control, as well as to what degree they meet it, because scoring calculations extend beyond “yes” or “no,” and each control carries a different scoring weight. Fully addressing a control maps to a score of 1, so complete compliance with all controls yields a maximum score of 110. Coming up short on a control might mean a score of 0 or even a negative number, producing an overall minimum possible score of -203.
Companies in the DoD supply chain have incentive to report their highest possible score on SPRS. As the DoD evaluates contract proposals, it certainly will look at bid teams’ SPRS entries. Similarly, prime contractors will examine the scores of their potential partners and suppliers for the contract. All things equal, higher scores trump lower scores, because they indicate a greater degree of NIST 800-171 compliance and better cybersecurity hygiene.
False Claims Act and Other Risks
Members of the DIB must be careful when calculating their scores, however. The DoD reserves the right to audit an organization’s reported score by executing a more intense remote or in-person Medium or High Assessment. If the DoD’s evaluation of scoring on individual controls or the total score differs significantly from the Basic Assessment score, companies may find themselves in jeopardy. Consequences could range from loss of contract to litigation under the False Claims Act.
What’s the best way to avoid these risks? Scrutinize IT policies, System Security Plans, and Plans of Actions and Milestones with the critical eye of an external auditor assessing for verifiable implementation of the NIST 800-171 controls. Score conservatively, and preserve evidence – via an archive with version control management – to support the submitted Basic Assessment score.
Don’t Procrastinate – Come Up with a Plan and Get Moving Now
So, firms must make accurate NIST 800-171 scoring and reporting to SPRS a top priority. Many, especially small-to-medium sized businesses, may lack the time, resources, or expertise to achieve that objective in-house. Bringing in outside consultants represents one option for help, albeit an expensive one that may not meet the desired reporting timeline. Fortunately, a better alternative exists – a purpose-built, low-cost product, like Exostar’s Certification Assistant, that provides in-depth insight, out-of-the-box, on each security control, guidance on how to properly compute a score given the company’s current state of affairs, tips for actions to improve the score, assistance uploading the total score to SPRS, and a means to maintain the relevant backup materials.
Companies in the DoD supply chain may be lulled to sleep thinking that the Interim Rule’s bridge to CMMC will take years to complete, and thus not affect them. While that may be true, the Interim Rule also packs a powerful punch directed at everyone with its NIST 800-171 scoring requirements and oversight. Members of the DIB need to understand these high stakes and take action right away to protect themselves from harm and position themselves for competitive advantage.