Cyber Math: A Note on NIST SP 800-171 DoD Assessment Scoring
Last week, the Department of Defense ("DoD") published its long-awaited rule on its Cybersecurity Maturity Model Certification ("CMMC") framework. Notably, in addition to the CMMC framework, the rule also includes a second framework related to NIST SP 800-171 DoD Assessments that some defense contractors will also need to consider. This second prong of DoD's cyber regime adds another layer of complexity for defense contractors with an obligation under the Defense Federal Acquisition Regulation Supplement ("DFARS") to protect controlled unclassified information ("CUI").
The interim rule will become effective, and comments are due, on November 30, 2020.
Assessment Math
The first link below, Strategically Assessing Contractor Implementation of NIST SP 800-171, is the webpage in DoD's recent interim rule regarding NIST SP 800-171 DoD Assessments.
That webpage contains a link to the NIST SP 800-171 DoD Assessment Methodology rev 1.2.1 (June 24, 2020), which is what contractors must use to conduct a Basic assessment under the new DFARS 252.204-7019 provision and -7020 clause. Among other references, the -7020 clause provides that a Basic assessment, "[i]s conducted in accordance with the NIST SP 800–171 DoD Assessment Methodology." [1]
Under the interim rule, a Basic assessment is required where a defense contractor has an obligation to protect CUI under the DFARS 252.204-7012 clause, Safeguarding Covered Defense Information and Cyber Incident Reporting. [2] The Basic assessment is a self-assessment that results in a "Low" confidence score. In addition to a contractor's Basic self-assessment, the Government may also conduct assessments, which results in either a "Medium" or "High" confidence score depending on the assessment. [3]
The Assessment Methodology is important and nuanced because, in recognizing that "certain requirements have more impact on the security of the network and its data than others," DoD has placed a different weight on each NIST SP 800-171 requirement (1-, 3-, and 5-pointers). Where a contractor doesn't meet a -171 requirement, the corresponding point value is what will be deducted from 110. Under the Assessment Methodology, the maximum score is 110 – the number of requirements under NIST SP 800-171 – and a negative score is possible.
For example, if a defense contractor implements 100 (of 110) requirements under NIST SP 800-171 and the remaining 10 requirements are worth 5 points each, the contractor's assessment score will be 60, not 100 (110 - (10 * 5)). This score reflects the "net effect of security requirements not yet implemented." Where a contractor is missing 23, 5-point requirements, their score would be -5.
Takeaway
Defense contractors (primes and subcontractors) that have an obligation to protect CUI under the -7012 clause should begin preparing for the NIST SP 800-171 DoD Assessments. While the CMMC framework will not be fully implemented until October 1, 2025 (DoD OUSD(A&S) approval is required in order for DoD contracting officials to include the CMMC in a solicitation prior to then), the NIST SP 800-171 DoD Assessments kick in on November 30, 2020 (when the interim rule is effective).
The "Assessment math" is something defense contractors using a phased implementation of the NIST SP 800-171 requirements (via POA&M) must consider. [4] As shown above, it's possible to score 60 despite missing only 10 requirements. That said, contractors with POA&M's should consider updating their score as soon as they implement any of their remaining requirements (particularly, when a new procurement opportunity arises).
Lastly, given that contracting officials will be required, under the rule, to verify contractor scores prior to awarding a contract, task order, or delivery order, it's also possible that the assessment scores could be used as an additional element in a best value tradeoff decision where competition is close. While there is currently no DoD guidance on this last point, contractors should consider it moving forward.
Resources
__________
[1] Unless otherwise indicated in a solicitation, a defense contractor's NIST SP 800-171 DoD Assessment score must be no more than three years old.
[2] Solicitations solely for commercially available off-the-shelf ("COTS") items are exempted from the NIST SP 800-171 DoD Assessment and CMMC requirements.
[3] Notably, in addition to a Basic assessment, DoD will also have the ability to conduct Medium and High assessments. A Medium assessment consists of: (1) a review of a contractor’s Basic assessment; (2) a thorough document review; and (3) discussions with the contractor to obtain additional information or clarification. A High assessment consists of (1) all items in a Medium assessment and (2) verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan. Moreover, under Medium and High assessments, the contractor is required to "provide access to its facilities, systems, and personnel necessary for the Government to conduct [the assessment]."
[4] Plans of Action and Milestones are not allowed under the CMMC framework. That is, all practices and processes must be met for a contractor to be certified at a given level.
. . .