What is a Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment?

The Basic Assessment is the Contractor’s self-assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with NIST SP 800-171 DoD Assessment Methodology. The Basic Assessment results in a confidence level of ‘Low’ in the resulting score because it is a self-generated score.

It should inlcude your summary level score. The scope of the Basic Assessment (cage code and associated system), this can be set using the Compliance Accelerator app. The plan of action (POA&M) completion date. This is the date that a score of 110 is expected to be achieved for each system security plan assessed. Medium and high level assessments require additional fields which we have included in the assessment report generated by the Compliance Accelerator.

We have a blog dedicated to this question, however in short, a summary level score or commonly referred to as the “SPRS score” (pronounced “spurs”) is the result of a NIST SP 800-171 DoD Assessment that is performed in accordance with the NIST SP 800-171 DoD Assessment Methodology, Version 1.2. A summary level score helps identify a contractor's progress towards implementing the NIST SP 800-171 set of security controls. The summary level score, when submitted to the Supplier Performance Risk System (SPRS) provides the DoD with “a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.”

We answer this question in our blog post on Summary Level scores, however the easiest way to calculate it is to use the Compliance Accelerator app. Once you complete the assessment survey you will have a summary level score, Basic NIST SP 800-171 Assessment report, and a plan of action and milestones document all automatically generated.

According to the NIST glossary, a POA&M is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”

A plan of action and milestones (POA&M) document includes the following columns: POAM ID (identifies an action item), Weakness (describes the weakness associated with the action item) Responsible Person (the person(s) responsible for the action item), scheduled start date, scheduled completion date, Milestones, how the weakness was identified, and the current implementation status.

If you use the Compliance Accelerator app you simply need to complete an assessment survey and assign team members to the auto generated gap remediation tasks. The app will then automatically generate your plan of action and milestones document as depicted above.