NIST SP 800-171: How to Perform a Self-Assessment

There are multiple reasons why an organization will want to perform a NIST SP 800-171 self-assessment and generate an SPRS score. Whatever the specific reason it stems from one requirement, DFARS clause 252.204-7019 “Notice of NIST SP 800-171 DoD Assessment Requirements”. This contract clause requires organizations to assess their implementation of NIST SP 800-171 security controls.

In general, sub contractors are informed by their prime contractor that they need to perform a “basic” self-assessment or a prime contractor is notified by their DoD point of contact of this requirement.

Performing a NIST SP 800-171 is no easy task. It requires knowledge of IT systems, an understanding of NIST SP 800-171 cybersecurity controls, and a lot of hours. Lucky for you, we have developed the Compliance Accelerator that performs your NIST SP 800-171 self-assessment. We offer a free trial for you to give it a spin.

So how does it work?

In the application you simply answer yes or no questions for each of the NIST SP 800-171 security controls and click submit for assessment. It will then inform you if you are meeting the requirement or not and it will update your SPRS score automatically.

If you are not meeting the requirements it will provide you tasks to complete for you to meet the requirement. After you complete the tasks it will mark the security control as “Audit Ready” and update your SPRS score. Once you complete all of the questions and tasks you will achieve a perfect SPRS score of 110.

Keep in mind that performing a self-assessment and generating an SPRS score is not the only requirement an organization has as part of DFARS clause 252.204-7019. The organization must also have a system security plan otherwise the score you generated doesn’t count.

“Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.”

Our Compliance Accelerator application includes a system security plan template that you can use to describe how your organization has implemented it’s NIST SP 800-171 security controls. You can use the guidance from within the tool to help fill out your system security plan. If you have not implemented all of your security controls you will need a plan of action and milestones document to describe how you plan to implement them. You can use the tasks generated in the app along with our plan of action and milestones template to accomplish this.

After generating your SPRS score and system security plan you will need to submit the score to the DoD. Please read page 21 of the NIST SP 800-171 Assessment Methodology document for instructions on how to accomplish this.