By Chor-Ching Fan
When the recently released CMMC Interim Rule (DFARS Case 2019-D041) takes effect on November 30, 2020, the Department of Defense (DoD) will require defense contractors to self-report a score of compliance with 800-171 controls using a specified scoring methodology. The new assessment methodology consists of 3 levels:
Level | Description |
Basic | Self-assessment performed by the contractor based on review of the System Security Plan (SSP) conducted in accordance with NIST SP 800-171A. DoD is encouraging contractors to immediately conduct and submit a Basic Assessment. |
Medium | DoD assessment consisting of a thorough review of the SSP and discussions for additional information and clarification. DoD plans to select 200 contractors for Medium Assessments each fiscal year from FY 2021-2023. |
High | DoD assessment consisting of a thorough document review and thorough verification/examination/demonstration by reviewing appropriate evidence to validate implementation of security requirements matches the SSP DoD plans to select 110 contractors for High Assessments each fiscal year from FY 2021-2023. |
Contractors must submit self-assessment results to the Supplier Performance Risk System (SPRS) for contracting agencies to evaluate. Contractors not listed on the SPRS will not be eligible for contracts. Only contractors that have a current (not older than 3 years) DoD 800-171 Assessment score can be considered for awards involving Controlled Unclassified Information (CUI). DoD is rolling out this new 800-171 self-assessment over the next 3 years (FY 2021-2023) as an interim step toward CMMC compliance which is targeted for the next 7-10 years.
The methodology uses a scoring system to rate a contractor’s implementation of required security controls. As with prior 800-171 self-assessments, each system must be defined by a System Security Plan (SSP) with a Plan of Actions and Milestones (POAM) for tracking specific measures to be taken to fully implement required controls. A contractor starts with 110 points and then subtracts 1-5 points for each requirement that is not fully and properly implemented. Failure to implement significant controls will result in a negative score. Points to subtract are weighted as follows:
Each unimplemented 800-171 control that protects against “significant exploitation of the network or exfiltration of DoD CUI” (42 controls) |
-5 |
Each unimplemented 800-171 control with “specific and confined effect on the security of the network and its data” (14 controls) |
-3 |
Each unimplemented 800-171 control with “limited or indirect effect on the security of the network and its data” (remaining controls) |
-1 |
Importantly, the CMMC Interim Rule eliminates most allowances for partial implementation of controls. There is no credit for partial implementations, apart from a few exceptions documented in the CMMC Interim Rule or for specific requirements previously submitted in writing to DoD and approved by DoD.
With the CMMC Interim Rule set to take effect in a few weeks, DoD contractors need a simple and fast solution for compliance. With a Rizkly subscription, you have a complete 800-171 compliance management platform that supports the new DFARS 800-171 scoring requirement AND guidance from one of our certified NIST experts help SMBs quickly perform the needed Basic Assessment and submit it to the SPRS. Rizkly delivers easy-to-use compliance checklists and templates that SMBs need to achieve 800-171 compliance with full AutoFill & CrossMap support when you decide to tackle CMMC. One-click SSP and POAM document creation helps contractors generate the required self-assessment with fewer costs and less effort than traditional compliance solutions. To learn more about Rizkly, please contact us. We’d love to provide a demo of our solution and explain why Rizkly guided compliance is the best 800-171 compliance solution for SMBs.