How to Conduct a NIST 800-171 Compliance Assessment

What is NIST SP 800-171

TLDR; My goal for this post is to provide an overview of the NIST 800-171 compliance framework, the high level process an organization can follow to start moving towards compliance, and what tools Compliance Cloud Solutions offers to help with the process. If you are only here for the tools, click below for access to our free NIST 800-171 Workbook, SSP, and POAM templates, or, click here to see a demo on how our cloud platform streamlines NIST 800-171 compliance.

If you are new to NIST 800-171, or have been tasked by your organization to figure out what it means to you, I would highly recommend checking out our full writeup here for the full context and implications in the current federal environment. For the initiated, or those who are in a hurry (like I typically am), here is a quick refresher to provide some context on the framework and the business problem it poses to most organizations.

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. The current DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is required in all DoD contracts.

DoD contractors are required to “self certify” all “covered contractor information systems,” which are generally those that store, process, generate, transmit or access DoD-related controlled unclassified information (CUI), which DoD terms “covered defense information.”

What does it mean to DoD Contractors? 

Basically what this means is that if you want to do business with the DoD, as a prime contractor or a subcontractor, you will be required to tackle this compliance framework in order to be awarded the work, and are likely on the hook for these compliance objectives under any currently held contracts with the DoD.

How does NIST 800-171 work? A note on scope…

NIST 800-171 compliance objectives are typically applied to a “system” the organization uses to create, store, process, or transmit CUI data. For this purpose, a “system” is defined as all of the components, (computers, servers, network device, etc.) which contain CUI data, or support the systems which contain CUI data. Functionally, this means that a system could be a single application with proper segmentation and control, or, it could be an organization’s entire network environment without proper segmentation controls. If you have any experience with Payment Card Industry (PCI) compliance, you are most likely familiar with the concept. This means that in practice, limiting the scope and footprint of CUI data to a single “system”, and applying the segmentation and access management controls to that system, is often much easier than applying the controls across the enterprise. 

What are the control objectives?

NIST 800-171 covers 110 control objectives across 14 control families covering various focus areas within information security operations. Each control has a weighted score which is awarded if the organization has a current control which can be applied to the objective. 

Sample taken from official NIST scoring methodology – https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2%20%206.24.2020.pdf 

Additionally, some controls may not be applicable to the system in scope for the assessment, in which case the organization must provide evidence the control objective does not apply and would also be awarded the score. Once all 110 controls have been reviewed, the NIST 800-171 scoring methodology subtracts each unmet control objective from 110. This means it is possible (and common) for an organization to have a negative score under NIST 800-171. The score the organization self-certifies on is then used in contract due diligence exercises between prime contractors and subs, or in upload to the DoD’s Supplier Performance Risk System (SPRS) when applying for federal contracts.

The next step after the control review, self-certification scoring exercise, is getting the results documented in two standard reports, the System Security Plan (SSP), and Plan of Actions and Milestones (POAM).

The SSP is going to be a comprehensive document, detailing all the components that make up the system supporting CUI activities, the users and administrators of the system, and the controls which are in place within the system which is supporting the control objectives outlined under NIST 800-171. 

Any gaps identified during the review are going to be included in the POAM document. The POAM is a roadmap which outlines the path to compliance and how the organization is going to become compliant with all 110 controls under NIST 800-171.

The Compliance Cloud Solutions NIST 800-171 Workbook

The official NIST 800-171 guidance leaves much to be desired when it comes to practical application. While some of the control objectives are fairly straight forward, some of them are not.

Let’s take a look and see how the CCS NIST 800-171 Workbook can help break down each control for easier understanding and application.

Within the workbook, each control is represented on one row. Each column provides some information about the control, some straight from NIST, and some information that CCS has included based on industry experience. Here is a breakdown:

  • Column A – NIST 800-171 Control Number
  • Column B – NIST 800-171 Control Family
  • Column C – Official Control Text from NIST SP 800-171 
  • Column D – Control Type – Controls within NIST 800-171 are defined as Basic or Derived. Basic Controls represent higher level objectives with derived controls being more specific and falling under the umbrella of a basic control. 
  • Column E – SPRS Scoring – Control weight value for use in scoring.
  • Column F – Information Required / Questions to ask – These questions were created by CCS and can be used to help an auditor get the information needed to answer the control objective.
  • Column G – NIST 171 Self Assessment Guidance – This is the “additional information” description from the official NIST 800-171 Self-Assessment Handbook.
  • Column H – High Level Explanation or Example – Simplified description which was added by CCS.
  • Column I – Current Status – Status of the control which can be set to “Implemented”, “Not Implemented”, or “Not Applicable” by the auditor.
  • Column J – Control Description – Cell for the auditor to document the control objective status for the target organization.
  • Columns K-N – Control mappings to NIST 800-53, ISO 27002:2013, CIS Top 20, DFARS 7012.

As the auditor reviews each control objective, Column I should be set for the current status based on the organization’s environment.

Additionally, a description for the current status of each control.

Once all 110 controls have been addressed, the auditor sorts by control status in order to get a list of all unmet controls and then selects the SPRS Score Column in order to get the combined score of all unmet controls in the bottom right corner.

This number is subtracted from 110 to get the current score for SPRS upload (e.g. 67). 

The next step in the process is creation of standard deliverables. Each control status and description should be copied from the Workbook into the SSP template provided by CCS.

Finally, The final step is to copy all of the “Not Implemented” control objectives into the POAM tab of the workbook, and begin planning the remediation efforts for the organization.

At this point, we have the base laid for the completion of the deliverables. In addition to all the control descriptions and status we have copied into the SSP, there is some additional information which needs to be included to complete the documents. 

The information detailed within the executive summary of the SSP will depend on the system which was assessed, and the organization’s operating environment, but will focus on system components/inventory, system user lists and descriptions, and other general information which is germain to the system and operating processes surrounding it.

In addition to SSP, the POAM will also need to be completed. Once again, the POAM is going to be specific to every system/organization, and will likely require multiple stakeholders from the organization in or to flesh out a strategic plan.

CCS’s solution for NIST 800-171

While the workbook and templates can work well as a guide, and help remove some ambiguity, the process is still manual and complex. We recommend engaging some experts to help with the process, as falsely reporting your compliance levels can mean a potential loss of contracts in the best cases, and criminal changes in the worst case (see information on the false claims act).

Additionally, the Compliance Cloud Solutions platform can help streamline the process from start to finish allowing for collaboration between various stakeholders, automatic mapping of IT controls to control objectives, and automated reporting functions. Checkout the demo video below or click here to setup a demo with a team member!