The DoD updates to the DFARS clause in 1Q FY 2021 defined the requirement for contractors with respect to the DoD Assessment Methodology for NIST SP 800-171 compliance.  (See DFARS clauses 7019 and 7020 here.)  A Basic Assessment is a self-assessment performed by the contractor based on a review of the System Security Plan for their non-federal system housing CUI.  Contractors have to follow the DoD assessment methodology (here) to calculate an overall compliance score for SP 800-171.  According to the methodology, the contractor starts with 110 points and then subtracts 1, 3, or 5 points (depending on the criticality of each control) for each control that isn’t fully and properly implemented.  The scoring mechanism does not give any credit for partially implemented controls.  After a score is calculated, contractors can submit that score (and the estimated date of full compliance) to DoD via email or the SPRS system (instructions here).

 

According to the DFARS 7019 clause, contractors must submit an 800-171 compliance score to DoD in order to be eligible for an award.  DoD has chosen to gradually introduce this requirement into contracts over FY21 – FY23.

 

The objective of the NIST 800-171 scoring process is to provide visibility to the DoD agencies about the level of contractor security compliance during the interim period while CMMC program is being phased in.  Agencies will consider the contractor’s compliance score and the associated full remediation date as a key factor in granting an award.  In addition, DoD has made each contractor responsible for ensuring the NIST 800-171 compliance of its subcontractors throughout the supply chain.  Scores provide contractors visibility into the level of compliance and remediation date for potential subcontractors, and this could certainly factor into decisions concerning which firms will be granted subcontracts.  This means that a bad score could impact the ability of a firm to obtain direct contracts from DoD as a prime, as well as subcontracts from further down the supply chain.  In other words, a poor score (especially when combined with a less than aggressive date for achieving full compliance) may keep a contractor from getting new DoD business.

 

Fortunately, contractors can update their SPRS scores as often as they wish, and this suggests an approach that should be taken by any contractor with a poor score.  To improve their score quickly, contractors should prioritize remediation actions that involve limited effort (e.g., “quick wins”) or that have a significant impact on the score (e.g., “big ticket items”).  Prioritizing on these remediation actions often results in a contractor making significant improvement to their scores in a matter of a few months.  The key is to stay focused on actions that impact the score and actually getting those remediation actions completed.  As progress is made, contractors should periodically update the SPRS system (and notify relevant prime contractors) to reflect the continual improvement to their score.