7 IMMEDIATELY ACTIONABLE WAYS TO

IMPROVE YOUR NIST ASSESSMENT SCORE

WWW.KANEFEDERALSERVICES.COM

BACKGROUND
The DoD’s Interim Rule for its CMMC program plan has now been published.
Effective November 30, 2020, all DoD contractors (prime and subcontractor) will
need to report their compliance with the security controls in NIST SP 800-171. The
interim rule puts a new assessment and reporting system in place that will verify
compliance prior to contract award. Contractors cannot be awarded contracts or
award subcontracts unless they and their relevant subcontractors have each
performed a NIST 800-171 basic assessment within the last three years and
reported those results to a DoD website.

SCORING NIST 800-171 COMPLIANCE

The interim rule defines a specific scoring methodology that uses a 110-point,
weighted scoring system to measure the extent to which a contractor or offeror has
implemented the NIST 800-171 security controls. An information security system
that fully implements all 110 NIST 800-171 security controls will have a score of 110.
For each unimplemented requirement, 1, 3 or 5 points are subtracted (depending on
the control’s importance).

Basic assessments are conducted using NIST SP 800–171A, Assessing Security

Requirements for Controlled Unclassified Information, as well as Section 5 and
Annex A of v1.2.1 of the DOD Assessment Methodology. The DoD scoring
methodology assigns greater points to requirements that "have more impact on the
security of the network and its data than others." For instance, security controls
designed to “limit system access to authorized users" are critical to protecting
information systems, and failing to implement those controls will limit the
effectiveness of other controls. Accordingly, they are worth more points than other
less critical controls.

The weighting accorded to each of the security controls provides guidance on how
an organization seeking to move the needle on their current cybersecurity posture
(and hence, their NIST assessment score) should prioritize their near-term efforts
ahead of the implementation deadline:

1
PRIORITY 1
DEVELOP A SYSTEM SECURITY PLAN (SSP)

NIST 800-171 requires offerors to develop a SSP detailing how they have
implemented NIST SP 800-171 security controls. Basic Security Requirement
3.12.4 states the contractor must have a system security plan in place to
describe each covered contractor information system. Since the DoD
assessment scoring methodology is based on a review of the SSP describing
how the security requirements are met, it is not possible to conduct the
assessment if the information is not available. The absence of a system
security plan would result in a finding that ‘an assessment could not be
completed due to incomplete information and noncompliance with DFARS
clause 252.204-7012.’ If you’re starting from scratch, see the template in the
resources section of this document.

BOTTOM LINE: The first thing an assessor will do is ask to review your SSP. If
you don’t have one, the assessment stops right there and will not continue.

PRIORITY 2
BASIC SECURITY REQUIREMENTS WITH A VALUE OF 5 POINTS

NIST 800-171 designates all requirements as either Basic Security

Requirements or Derived Security Requirements. The basic security
requirements are obtained from FIPS 200, a US government standard which
provides the high-level and fundamental security requirements for federal
information and systems. These requirements are important for two reasons:

They are high-level requirements which, if not implemented, render

01
ineffective the more numerous Derived Security Requirements in their
respective families of controls. For example, failure to create and retain
system audit logs and records (Basic Security Requirement 3.3.1)
renders all the other Audit and Accountability requirements ineffective.

They are worth five points each. Failure to implement these

02
requirements will have the greatest impact on your assessment score.
Accordingly, if you are looking for the biggest bang for your security
buck, implement these immediately after writing your SSP.
TOTAL VALUE: 115 POINTS

7 IMMEDIATELY ACTIONABLE WAYS TO

2
IMPROVE YOUR NIST ASSESSMENT SCORE
CONTROL # NIST SP 800-171 R2 CONTROL

Limit system access to authorized users, processes acting on behalf of authorized

users, and devices (including other systems).
3.1.1

Limit system access to the types of transactions and functions that authorized
3.1.2 users are permitted to execute.

Ensure that managers, systems administrators, and users of organizational systems are
3.2.1 made aware of the security risks associated with their activities and of the applicable
policies, standards, and procedures related to the security of those systems.

Ensure that personnel are trained to carry out their assigned information security- related duties
and responsibilities.
3.2.2

Create and retain system audit logs and records to the extent needed to enable
3.3.1 the monitoring, analysis, investigation, and reporting of unlawful or unauthorized
system activity.

Establish and maintain baseline configurations and inventories of organizational systems (including
3.4.1 hardware, software, firmware, and documentation) throughout the respective system development
life cycles.

Establish and enforce security configuration settings for information technology

3.4.2 products employed in organizational systems.

Identify system users, processes acting on behalf of users, and devices.

3.5.1

Authenticate (or verify) the identities of users, processes, or devices, as a

3.5.2 prerequisite to allowing access to organizational systems.

Establish an operational incident-handling capability for organizational systems that

3.6.1 includes preparation, detection, analysis, containment, recovery, and user response
activities.

Track, document, and report incidents to designated officials and/or authorities both internal
and external to the organization.
3.6.2

Provide controls on the tools, techniques, mechanisms, and personnel used to

3.7.2 conduct system maintenance.

Sanitize or destroy system media containing CUI before disposal or release for reuse.
3.8.3

Ensure that organizational systems containing CUI are protected during and after
3.9.2 personnel actions such as terminations and transfers.

7 IMMEDIATELY ACTIONABLE WAYS TO 3

IMPROVE YOUR NIST ASSESSMENT SCORE
CONTROL # NIST SP 800-171 R2 CONTROL

Limit physical access to organizational systems, equipment, and the respective

operating environments to authorized individuals.
3.10.1

Protect and monitor the physical facility and support infrastructure for
3.10.2 organizational systems.

Periodically assess the security controls in organizational systems to determine if the

3.12.1 controls are effective in their application.

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the
controls.
3.12.3

Monitor, control, and protect communications (i.e., information transmitted or

3.13.1 received by organizational systems) at the external boundaries and key internal
boundaries of organizational systems.

Employ architectural designs, software development techniques, and systems engineering principles
3.13.2 that promote effective information security within organizational systems.

Identify, report, and correct system flaws in a timely manner.

3.14.1

Provide protection from malicious code at designated locations within organizational

systems.
3.14.2

Monitor system security alerts and advisories and take action in response.
3.14.3

7 IMMEDIATELY ACTIONABLE WAYS TO 4

IMPROVE YOUR NIST ASSESSMENT SCORE
PRIORITY 3
DERIVED SECURITY REQUIREMENTS WITH A VALUE OF 5 POINTS

The derived security requirements supplement the basic security

requirements, and are taken from the security controls in NIST SP 800-53. The
ones listed below are worth five points each so they should be next on your
list to implement. TOTAL VALUE: 95 POINTS

CONTROL # NIST SP 800-171 R2 CONTROL

Monitor and control remote access sessions.

3.1.12

Employ cryptographic mechanisms to protect the confidentiality of remote

3.1.13 access sessions.

Authorize wireless access prior to allowing such connections.

3.1.16

Protect wireless access using authentication and encryption.

3.1.17

Control connection of mobile devices.

3.1.18

Correlate audit record review, analysis, and reporting processes for investigation and response to
3.3.5 indications of unlawful, unauthorized, suspicious, or unusual activity.

Define, document, approve, and enforce physical and logical access restrictions
3.4.5 associated with changes to organizational systems.

Employ the principle of least functionality by configuring organizational systems to

provide only essential capabilities.
3.4.6

Restrict, disable, or prevent the use of nonessential programs, functions, ports,

3.4.7 protocols, and services.

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized

3.4.8 software or deny-all, permit-by-exception (whitelisting) policy to allow the
execution of authorized software.

7 IMMEDIATELY ACTIONABLE WAYS TO

5
IMPROVE YOUR NIST ASSESSMENT SCORE
CONTROL # NIST SP 800-171 R2 CONTROL

Store and transmit only cryptographically- protected passwords.

3.5.10

Require multifactor authentication to establish nonlocal maintenance sessions

3.7.5 via external network connections and terminate such connections when
nonlocal maintenance is complete.

Control the use of removable media on system components.

3.8.7

Scan for vulnerabilities in organizational systems and applications periodically and when new
vulnerabilities affecting those systems and applications are identified.
3.11.2

Implement subnetworks for publicly accessible system components that are

3.13.5 physically or logically separated from internal networks.

Deny network communications traffic by default and allow network communications traffic by
3.13.6 exception (i.e., deny all, permit by exception).

Protect the authenticity of communications sessions.

3.13.15

Update malicious code protection mechanisms when new releases are available.

3.14.4

Monitor organizational systems, including inbound and outbound

3.14.6 communications traffic, to detect attacks and indicators of potential attacks.

7 IMMEDIATELY ACTIONABLE WAYS TO

6
IMPROVE YOUR NIST ASSESSMENT SCORE
 PRIORITY 4
SECURITY REQUIREMENTS THAT GIVE PARTIAL CREDIT

Derived Security Requirements 3.5.3 and 3.13.11 are the only two
requirements where the scoring of partial implementation is built into the
DoD’s scoring methodology. The DoD’s reasoning is that these requirements
can be partially effective even if not completely or properly implemented,
and the points deducted should be adjusted depending on how the
requirement is implemented. TOTAL VALUE: 10 POINTS

Multi-factor authentication (MFA), Security Requirement 3.5.3, is typically

01
implemented first for privileged users and remote users (since these users
are both limited in number and more critical), and then for the general
user, so 3 points are subtracted from the score of 110 if MFA is
implemented only for remote and privileged users; 5 points are
subtracted from the overall score if MFA is not implemented for any users.

FIPS validated encryption (Security Requirement 3.13.11) is required to

02
protect the confidentiality of CUI. Any encryption is better than no
encryption at all, so If encryption is employed but it is not FIPS validated,
3 points are subtracted from the score of 110. If encryption is not
employed at all, 5 points are subtracted from the overall score.

CONTROL # NIST SP 800-171 R2 CONTROL

Use multifactor authentication (MFA) for local and network access to privileged
accounts and for network access to non- privileged accounts.
3.5.3

Employ FIPS-validated cryptography when used to protect the confidentiality of

3.13.11 CUI.

7 IMMEDIATELY ACTIONABLE WAYS TO

7
IMPROVE YOUR NIST ASSESSMENT SCORE
 PRIORITY 5
BASIC SECURITY REQUIREMENTS WITH A VALUE OF 3 POINTS

Again, these are high-level requirements which, if not implemented, render

ineffective the more numerous Derived Security Requirements in their
respective families of controls. They are worth three points each.
TOTAL VALUE: 21 POINTS

It’s worth calling special attention to Basic Security Requirement 3.12.2, Plan
of Actions and Milestones (POA&M). NIST 800-171 requires offerors to
develop a POA&M detailing how they have implemented NIST SP 800-171
security controls. Security Requirement 3.12.2 states the contractor must have
a plan of action in place for each unimplemented security requirement to
describe how and when the security requirement will be met. A lack of a plan
of action for each unimplemented security requirement will result in
Security Requirement 3.12.2 being assessed as ‘not implemented.’ If you’re
starting from scratch, see the POA&M template in the resources section of
this document.

CONTROL # NIST SP 800-171 R2 CONTROL

Ensure that the actions of individual system users can be uniquely traced to those
users so they can be held accountable for their actions.
3.3.2

Perform maintenance on organizational systems.

3.7.1

Protect (i.e., physically control and securely store) system media containing CUI, both
3.8.1 paper and digital.

Limit access to CUI on system media to authorized users.

3.8.2

Screen individuals prior to authorizing access to organizational systems containing

3.9.1 CUI.

Periodically assess the risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals, resulting from the operation of organizational
3.11.1 systems and the associated processing, storage, or transmission of CUI.

Develop and implement plans of action designed to correct deficiencies and

3.12.2 reduce or eliminate vulnerabilities in organizational systems.

7 IMMEDIATELY ACTIONABLE WAYS TO

8
IMPROVE YOUR NIST ASSESSMENT SCORE
PRIORITY 6
DERIVED SECURITY REQUIREMENTS WITH A VALUE OF 3 POINTS

These are worth three points each so they should be next on your list to
implement, ahead of any one-point requirements. TOTAL VALUE: 21 POINTS

CONTROL # NIST SP 800-171 R2 CONTROL

Employ the principle of least privilege, including for specific security functions and
privileged accounts.
3.1.5

Encrypt CUI on mobile devices and mobile computing platforms

3.1.19

Check media containing diagnostic and test programs for malicious code before the
3.7.4 media are used in organizational systems.

Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.8

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI

3.13.8 during transmission unless otherwise protected by alternative physical safeguards.

Perform periodic scans of organizational systems and real-time scans of files from external sources as
files are downloaded, opened, or executed.
3.14.5

Identify unauthorized use of organizational systems

3.14.7

7 IMMEDIATELY ACTIONABLE WAYS TO

9
IMPROVE YOUR NIST ASSESSMENT SCORE
PRIORITY 7
ALL THE SECURITY REQUIREMENTS WITH A VALUE OF 1 POINT

If you knocked out all of the priorities above, you’re in good shape. Now go
get all of the one-point requirements. TOTAL VALUE: 51 POINTS

Note that plans of action addressing unimplemented security requirements

are not a substitute for a completed requirement. Security requirements not
implemented, whether a plan of action is in place or not, will be assessed as
‘not implemented.’ For example, if the initial roll-out of 3.1.12, monitor and
control remote access sessions, is only 75% complete, and there is a plan of
action still being implemented, 3.1.12 will be considered ‘not implemented’
because the requirement has not been fully implemented.

THE NEXT STEPS

Those with the DFARS 252.204-7012 clause in current or anticipated
contracts, tasks, or options awards need to begin their assessment process
immediately. Evaluating all 110 controls will take time. This will also allow the
controls to gain maturity in your organization, a requirement to meet the
CMMC maturity requirements which are being rolled out in the near future.

ASSESS SECURITY POSTURE

01 for compliance with NIST 800-171
using the DoD scoring methodology

SSP & POA&Ms

Document a System Security Plan
(SSP) and Plans of Actions &
02
Milestones (POA&Ms)

IMPLEMENT
03 any missing/noncompliant security
controls prioritized by impact to NIST
score

04
REASSESS COMPLIANCE
and submit updated score to
Supplier Performance Risk
System (SPRS)

CONTINUE CLOSING
05 POA&M items; reassess and update
SPRS when score materially improves

7 IMMEDIATELY ACTIONABLE WAYS TO

10
IMPROVE YOUR NIST ASSESSMENT SCORE
 AN EXTERNAL ASSESSMENT CAN HELP
Smaller companies with limited bandwidth should consider having a professional
compliance organization perform your assessment and provide a gap analysis. An
external assessment of your current cybersecurity posture can help you
understand which of your security practices are already in good shape and which
need more work and attention from an implementation perspective.

A gap analysis using NIST 800-171A can point out practices that need a quick fix,
like rewriting company policies. It also can provide a heads up on practices that
will require more substantial investments or time and resources. Perhaps most
importantly, an independent review can catch things your self-assessments may
have missed and prevent your NIST score from being a surprise.

Contact us at WWW.KANEFEDERALSERVICES.COM for more information.

RESOURCES
NIST SP 800-171 rev 2, Protecting CUI in Nonfederal Systems and
Organizations (PDF)

NIST 800-171A, Assessing Security Requirements for CUI (PDF)

NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (PDF)

Documentation Templates

NIST example of an SSP (System Security Plan) template (.docx)

NIST example of a basic POA&M (Plan-of-Action-and Milestones) template (.docx)

Supplier Performance Risk System (SPRS)

A Procurement Integrated Enterprise Environment (PIEE) account with a

SPRS “Cyber Vendor” role will be required to enter Basic Assessment
information into SPRS. This role may be requested through PIEE.

PIEE Landing Page: https://piee.eb.mil/piee-landing/

How to request contractor access to SPRS (PDF)

SPRS user guide for contractors (PDF)

NIST SP 800-171 Quick Entry Guide (PDF)

Annex B of NIST SP 800-171 DoD Assessment Methodology, Version

1.2.1 (PDF)

7 IMMEDIATELY ACTIONABLE WAYS TO

11
IMPROVE YOUR NIST ASSESSMENT SCORE