NIST SP 800-171 Basic Contractor Self-Assessment

What is a Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment?

Learn what a basic NIST SP 800-171 DoD assessment is and how to perform one to meet your DFARS 252.204-7019 and DFARS 252.204-7020 requirements.

Join our newsletter:
The Basic Assessment is the Contractor’s self-assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with NIST SP 800-171 DoD Assessment Methodology. The Basic Assessment results in a confidence level of ‘Low’ in the resulting score because it is a self-generated score.

What does a Basic NIST SP 800-171 Assessment Report Include?

NIST SP 800-171 Assessment

Example of a Basic NIST SP 800-171 Assessment report generated by the Compliance Accelerator

It should inlcude your summary level score. The scope of the Basic Assessment (cage code and associated system), this can be set using the Compliance Accelerator app. The plan of action (POA&M) completion date. This is the date that a score of 110 is expected to be achieved for each system security plan assessed. Medium and high level assessments require additional fields which we have included in the assessment report generated by the Compliance Accelerator.

What is a Summary Level Score?

Summary Level Score

Download or print your Assessment Report

We have a blog dedicated to this question, however in short, a summary level score or commonly referred to as the “SPRS score” (pronounced “spurs”) is the result of a NIST SP 800-171 DoD Assessment that is performed in accordance with the NIST SP 800-171 DoD Assessment Methodology, Version 1.2. A summary level score helps identify a contractor's progress towards implementing the NIST SP 800-171 set of security controls. The summary level score, when submitted to the Supplier Performance Risk System (SPRS) provides the DoD with “a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.”

How to Calculate a Summary Level Score?

SPRS Score

Summary Level Score of 3

We answer this question in our blog post on Summary Level scores, however the easiest way to calculate it is to use the Compliance Accelerator app. Once you complete the assessment survey you will have a summary level score, Basic NIST SP 800-171 Assessment report, and a plan of action and milestones document all automatically generated.

What is a Plan of Action and Milestones (POA&M)?

POAM

POA&M Generated by Compliance Accelerator

According to the NIST glossary, a POA&M is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”
A plan of action and milestones (POA&M) document includes the following columns: POAM ID (identifies an action item), Weakness (describes the weakness associated with the action item) Responsible Person (the person(s) responsible for the action item), scheduled start date, scheduled completion date, Milestones, how the weakness was identified, and the current implementation status.

How to Create a Plan of Action & Milestones document

If you use the Compliance Accelerator app you simply need to complete an assessment survey and assign team members to the auto generated gap remediation tasks. The app will then automatically generate your plan of action and milestones document as depicted above.
 
 
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.