What is a Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment?
By: Omer Kaan Aslim
October 25, 2021
Learn what a basic NIST SP 800-171 DoD assessment is and how to perform one to meet your DFARS 252.204-7019 and DFARS 252.204-7020 requirements.
The Basic Assessment is the Contractor’s self-assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with NIST SP 800-171 DoD Assessment Methodology. The Basic Assessment results in a confidence level of ‘Low’ in the resulting score because it is a self-generated score.
What does a Basic NIST SP 800-171 Assessment Report Include?
Example of a Basic NIST SP 800-171 Assessment report generated by the Compliance Accelerator
It should inlcude your summary level score. The scope of the Basic Assessment (cage code and associated system), this can be set using the Compliance Accelerator app. The plan of action (POA&M) completion date. This is the date that a score of 110 is expected to be achieved for each system security plan assessed. Medium and high level assessments require additional fields which we have included in the assessment report generated by the Compliance Accelerator.
What is a Summary Level Score?
Download or print your Assessment Report
We have a blog dedicated to this question, however in short, a summary level score or commonly referred to as the “SPRS score” (pronounced “spurs”) is the result of a NIST SP 800-171 DoD Assessment that is performed in accordance with the NIST SP 800-171 DoD Assessment Methodology, Version 1.2. A summary level score helps identify a contractor's progress towards implementing the NIST SP 800-171 set of security controls. The summary level score, when submitted to the Supplier Performance Risk System (SPRS) provides the DoD with “a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.”
How to Calculate a Summary Level Score?
Summary Level Score of 3
We answer this question in our blog post on Summary Level scores, however the easiest way to calculate it is to use the Compliance Accelerator app. Once you complete the assessment survey you will have a summary level score, Basic NIST SP 800-171 Assessment report, and a plan of action and milestones document all automatically generated.
What is a Plan of Action and Milestones (POA&M)?
POA&M Generated by Compliance Accelerator
According to the NIST glossary, a POA&M is a “document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.”
A plan of action and milestones (POA&M) document includes the following columns: POAM ID (identifies an action item), Weakness (describes the weakness associated with the action item) Responsible Person (the person(s) responsible for the action item), scheduled start date, scheduled completion date, Milestones, how the weakness was identified, and the current implementation status.
How to Create a Plan of Action & Milestones document
If you use the Compliance Accelerator app you simply need to complete an assessment survey and assign team members to the auto generated gap remediation tasks. The app will then automatically generate your plan of action and milestones document as depicted above.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance