What to Know Before Your NIST 800-171 Assessment Submission

Working with government agencies like the Department of Defense (DoD) requires meeting specific and evolving regulations related to NIST 800-171 cybersecurity standards.

NIST 800-171 is a standard that protects CUI, or controlled unclassified information, created or owned by the government at the federal or state level.

Some examples of CUI that contractors or subcontractors might handle include:

• Emails
• Electronic Files
• Blueprints or Drawings
• Sales Orders
• Contracts

Contractors and subcontractors that work with government agencies and CUI must adhere to NIST 800-171 standards in order to complete government projects that involve handling CUI.

Additionally, with the implementation of the DFARS Interim Final Rule last winter, companies doing business with the DoD or supporting DoD contractors are required to submit a scored self-assessment based on their compliance with the 110 controls of NIST 800-171.

Non-compliance can result in losing crucial contracts, hefty fines, and even criminal charges. So, defense contractors that have operated under the old honor system with respect to meeting all NIST 800-171 requirements could face new challenges to maintain their DoD contracts.

How NIST 800-171 Scoring Works

Let’s go over the NIST 800-171 assessment scoring methodology a bit more in-depth.

Basically, scoring starts with a perfect score of 110 (based on the 110 controls of NIST 800-171) and points are deducted based on incomplete controls not fully met. However, the controls and points associated with them are weighted:

44 controls are worth 5 points
14 controls are worth 3 points
51 controls are worth 1 point
1 control (having a System Security Plan or SSP) does not have points but is necessary to be able to complete an assessment

Final Score = 110 or less

It is possible to have a negative score, with the lowest possible score being -203.

Here is a sample of the scoring methodology with the NIST 800-171 self-assessment:

A Note on System Security Plans

It is required that all companies who handle CUI have a System Security Plan (SSP) in place.

This can be a hurdle for companies who do not have an SSP but are now being required to submit an assessment, but SSE can help.

Self-Scoring vs. Evidence-Based Scoring

SSE has found the average discrepancy from a company scoring themselves vs. having an outside, evidence-based assessment conducted was -95 points.

Submitting scores that are inaccurate or not completed in good faith could put your business at legal and financial risk under the False Claims Act.

Because of this, many companies have not yet submitted their assessments due to uncertainty around their systems’ standing or how to accurately score themselves. And with increasing pressure from prime contractors for subcontractors to complete their submissions by a specific date, many companies are not prepared to do so.

SSE Can Help

Don’t put your company at risk with confusion around your assessment or a NIST 800-171 submission that may be inaccurate.

SSE has expertise in managing classified data and controlled unclassified information through evolving cybersecurity regulations for more than 12 years and has maintained NIST 800-171 compliance since 2017.

Our NIST 800-171 Assessment can provide companies with an evidence-based NIST 800-171 assessment score, information needed for a SSP as well as information for any Plans of Action and Milestones (POAMs) for controls not fully implemented.

Contact our team of experts today to schedule an initial consultation and to learn more about whether our NIST 800-171 Assessment can help your organization understand and confidently complete its NIST 800-171 submission.

Let’s get started.