Professional Documents
Culture Documents
BACKGROUND
The DoD’s Interim Rule for its CMMC program plan has now been published.
Effective November 30, 2020, all DoD contractors (prime and subcontractor) will
need to report their compliance with the security controls in NIST SP 800-171. The
interim rule puts a new assessment and reporting system in place that will verify
compliance prior to contract award. Contractors cannot be awarded contracts or
award subcontracts unless they and their relevant subcontractors have each
performed a NIST 800-171 basic assessment within the last three years and
reported those results to a DoD website.
The weighting accorded to each of the security controls provides guidance on how
an organization seeking to move the needle on their current cybersecurity posture
(and hence, their NIST assessment score) should prioritize their near-term efforts
ahead of the implementation deadline:
1
PRIORITY 1
DEVELOP A SYSTEM SECURITY PLAN (SSP)
NIST 800-171 requires offerors to develop a SSP detailing how they have
implemented NIST SP 800-171 security controls. Basic Security Requirement
3.12.4 states the contractor must have a system security plan in place to
describe each covered contractor information system. Since the DoD
assessment scoring methodology is based on a review of the SSP describing
how the security requirements are met, it is not possible to conduct the
assessment if the information is not available. The absence of a system
security plan would result in a finding that ‘an assessment could not be
completed due to incomplete information and noncompliance with DFARS
clause 252.204-7012.’ If you’re starting from scratch, see the template in the
resources section of this document.
BOTTOM LINE: The first thing an assessor will do is ask to review your SSP. If
you don’t have one, the assessment stops right there and will not continue.
PRIORITY 2
BASIC SECURITY REQUIREMENTS WITH A VALUE OF 5 POINTS
01
ineffective the more numerous Derived Security Requirements in their
respective families of controls. For example, failure to create and retain
system audit logs and records (Basic Security Requirement 3.3.1)
renders all the other Audit and Accountability requirements ineffective.
02
requirements will have the greatest impact on your assessment score.
Accordingly, if you are looking for the biggest bang for your security
buck, implement these immediately after writing your SSP.
TOTAL VALUE: 115 POINTS
Limit system access to the types of transactions and functions that authorized
3.1.2 users are permitted to execute.
Ensure that managers, systems administrators, and users of organizational systems are
3.2.1 made aware of the security risks associated with their activities and of the applicable
policies, standards, and procedures related to the security of those systems.
Ensure that personnel are trained to carry out their assigned information security- related duties
and responsibilities.
3.2.2
Create and retain system audit logs and records to the extent needed to enable
3.3.1 the monitoring, analysis, investigation, and reporting of unlawful or unauthorized
system activity.
Establish and maintain baseline configurations and inventories of organizational systems (including
3.4.1 hardware, software, firmware, and documentation) throughout the respective system development
life cycles.
Track, document, and report incidents to designated officials and/or authorities both internal
and external to the organization.
3.6.2
Sanitize or destroy system media containing CUI before disposal or release for reuse.
3.8.3
Ensure that organizational systems containing CUI are protected during and after
3.9.2 personnel actions such as terminations and transfers.
Protect and monitor the physical facility and support infrastructure for
3.10.2 organizational systems.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the
controls.
3.12.3
Employ architectural designs, software development techniques, and systems engineering principles
3.13.2 that promote effective information security within organizational systems.
Monitor system security alerts and advisories and take action in response.
3.14.3
Correlate audit record review, analysis, and reporting processes for investigation and response to
3.3.5 indications of unlawful, unauthorized, suspicious, or unusual activity.
Define, document, approve, and enforce physical and logical access restrictions
3.4.5 associated with changes to organizational systems.
Scan for vulnerabilities in organizational systems and applications periodically and when new
vulnerabilities affecting those systems and applications are identified.
3.11.2
Deny network communications traffic by default and allow network communications traffic by
3.13.6 exception (i.e., deny all, permit by exception).
Update malicious code protection mechanisms when new releases are available.
3.14.4
Derived Security Requirements 3.5.3 and 3.13.11 are the only two
requirements where the scoring of partial implementation is built into the
DoD’s scoring methodology. The DoD’s reasoning is that these requirements
can be partially effective even if not completely or properly implemented,
and the points deducted should be adjusted depending on how the
requirement is implemented. TOTAL VALUE: 10 POINTS
01
implemented first for privileged users and remote users (since these users
are both limited in number and more critical), and then for the general
user, so 3 points are subtracted from the score of 110 if MFA is
implemented only for remote and privileged users; 5 points are
subtracted from the overall score if MFA is not implemented for any users.
02
protect the confidentiality of CUI. Any encryption is better than no
encryption at all, so If encryption is employed but it is not FIPS validated,
3 points are subtracted from the score of 110. If encryption is not
employed at all, 5 points are subtracted from the overall score.
Use multifactor authentication (MFA) for local and network access to privileged
accounts and for network access to non- privileged accounts.
3.5.3
It’s worth calling special attention to Basic Security Requirement 3.12.2, Plan
of Actions and Milestones (POA&M). NIST 800-171 requires offerors to
develop a POA&M detailing how they have implemented NIST SP 800-171
security controls. Security Requirement 3.12.2 states the contractor must have
a plan of action in place for each unimplemented security requirement to
describe how and when the security requirement will be met. A lack of a plan
of action for each unimplemented security requirement will result in
Security Requirement 3.12.2 being assessed as ‘not implemented.’ If you’re
starting from scratch, see the POA&M template in the resources section of
this document.
Ensure that the actions of individual system users can be uniquely traced to those
users so they can be held accountable for their actions.
3.3.2
Protect (i.e., physically control and securely store) system media containing CUI, both
3.8.1 paper and digital.
Periodically assess the risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals, resulting from the operation of organizational
3.11.1 systems and the associated processing, storage, or transmission of CUI.
These are worth three points each so they should be next on your list to
implement, ahead of any one-point requirements. TOTAL VALUE: 21 POINTS
Check media containing diagnostic and test programs for malicious code before the
3.7.4 media are used in organizational systems.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.8
Perform periodic scans of organizational systems and real-time scans of files from external sources as
files are downloaded, opened, or executed.
3.14.5
If you knocked out all of the priorities above, you’re in good shape. Now go
get all of the one-point requirements. TOTAL VALUE: 51 POINTS
IMPLEMENT
03 any missing/noncompliant security
controls prioritized by impact to NIST
score
04
REASSESS COMPLIANCE
and submit updated score to
Supplier Performance Risk
System (SPRS)
CONTINUE CLOSING
05 POA&M items; reassess and update
SPRS when score materially improves
A gap analysis using NIST 800-171A can point out practices that need a quick fix,
like rewriting company policies. It also can provide a heads up on practices that
will require more substantial investments or time and resources. Perhaps most
importantly, an independent review can catch things your self-assessments may
have missed and prevent your NIST score from being a surprise.
RESOURCES
NIST SP 800-171 rev 2, Protecting CUI in Nonfederal Systems and
Organizations (PDF)
Documentation Templates