By Chor-Ching Fan

When t​he recently released CMMC Interim Rule (DFARS Case 2019-D041) takes effect on November 30, 2020, the Department of Defense (DoD) will require defense contractors to self-report a score of compliance with 800-171 controls using a specified scoring methodology. The new assessment methodology consists of 3 levels:

 

Level Description
Basic Self-assessment performed by the contractor based on review of the System Security Plan (SSP) conducted in accordance with NIST SP 800-171A. DoD is encouraging contractors to immediately conduct and submit a Basic Assessment.
Medium DoD assessment consisting of a thorough review of the SSP and discussions for additional information and clarification. DoD plans to select 200 contractors for Medium Assessments each fiscal year from FY 2021-2023.
High DoD assessment consisting of a thorough document review and thorough verification/examination/demonstration by reviewing appropriate evidence to validate implementation of security requirements matches the SSP DoD plans to select 110 contractors for High Assessments each fiscal year from FY 2021-2023.

 

Contractors must submit self-assessment results to the Supplier Performance Risk System (SPRS) for contracting agencies to evaluate. Contractors not listed on the SPRS will not be eligible for contracts. Only contractors that have a current (not older than 3 years) DoD 800-171 Assessment score can be considered for awards involving Controlled Unclassified Information (CUI). DoD is rolling out this new 800-171 self-assessment over the next 3 years (FY 2021-2023) as an interim step toward CMMC compliance which is targeted for the next 7-10 years.

 

 

The methodology uses a scoring system to rate a contractor’s implementation of required security controls. As with prior 800-171 self-assessments, each system must be defined by a System Security Plan (SSP) with a Plan of Actions and Milestones (POAM) for tracking specific measures to be taken to fully implement required controls. A contractor starts with 110 points and then subtracts 1-5 points for each requirement that is not fully and properly implemented. Failure to implement significant controls will result in a negative score.  Points to subtract are weighted as follows:

 

Each unimplemented 800-171 control that protects against “significant exploitation of the network or exfiltration of DoD CUI” (42 controls)

-5

Each unimplemented 800-171 control with “specific and confined effect on the security of the network and its data” (14 controls)

-3

Each unimplemented 800-171 control with “limited or indirect effect on the security of the network and its data” (remaining controls)

-1

 

Importantly, the CMMC Interim Rule eliminates most allowances for partial implementation of controls. There is no credit for partial implementations, apart from a few exceptions documented in the CMMC Interim Rule or for specific require​ments previously submitted in writing to DoD and approved by DoD.

With the CMMC Interim Rule set to take effect in a few weeks, DoD contractors need a simple and fast solution for compliance. With a Rizkly subscription, you have a complete 800-171 compliance management platform that supports the new DFARS 800-171 scoring requirement AND guidance from one of our certified NIST experts help SMBs quickly perform the needed Basic Assessment and submit it to the SPRS. Rizkly delivers easy-to-use compliance checklists and templates that SMBs need to achieve 800-171 compliance with full AutoFill & CrossMap support when you decide to tackle CMMC. One-click SSP and POAM document creation helps contractors generate the required self-assessment with fewer costs and less effort than traditional compliance solutions. To learn more about Rizkly, please contact us. We’d love to provide a demo of our solution and explain why Rizkly guided compliance is the best 800-171 compliance solution for SMBs.