New 800-171 Assessment Process in DFARS Rule Change
By Greg Kent
The Department of Defense (DoD) recently released changes to DFARS rules for security assessments required for contractors. The CMMC Interim Rule (DFARS Case 2019-D041) requires defense contractors to self-report a score of compliance with 800-171 controls using a specified scoring methodology. Results of these assessments will be posted on the Supplier Performance Risk System (SPRS) for contracting agencies to evaluate. Contractors not listed on the SPRS will not be eligible for contracts. DoD is rolling out this new 800-171 self-assessment over the next 3 years (FY 2021-2023) as an interim step toward CMMC compliance which is targeted for the next 7-10 years. The CMMC Interim Rule takes effect November 30, 2020. The DoD’s new 800-171 assessment methodology consists of 3 levels:
- Basic: a self-assessment performed by the contractor based on review of the SSP and “conducted in accordance with NIST SP 800-171A”
- Medium: a DoD assessment consisting of a thorough review of the SSP and discussions for “additional information and clarification as needed”
- High: a DoD assessment “using NIST SP 800-171A” and consisting of a thorough document review and thorough verification/examination/demonstration by reviewing appropriate evidence to validate “that the security requirements have been implemented as described in the SSP”
The methodology prescribes a scoring system with a separate assessment for each system defined by a System Security Plan (SSP). An organization starts with 110 points and then subtracts 1-5 points for each requirement that is not fully and properly implemented. Organizations that have not implemented significant controls will have negative scores. Points to subtract are weighted:
• Subtract 5 points for each unimplemented 800-171 control that protects against “significant exploitation of the network or exfiltration of DoD CUI” (42 controls)
• Subtract 3 points for each unimplemented 800-171 control with “specific and confined effect on the security of the network and its data” (14 controls)
• Subtract 1 point for each unimplemented 800-171 control with “limited or indirect effect on the security of the network and its data” (remaining controls)
Similar to CMMC security requirements, there will be no credit for partial implementation of a control; an implementation that is 75% complete will be considered not fully implemented, apart from the following exceptions:
• Requirement 3.5.3: Some Multi-Factor Authentication (MFA) for remote access and privilege users subtracts 3 points; no MFA for any users subtract 5 points.
• Requirement 3.13.11: Use of cryptography that is non-FIPS validated subtracts 3 points; no encryption at all subtracts 5 points. This applies only to required cryptography, such as data leaving protected systems.
• Requirements 3.1.12, 3.1.16, 3.1.18: Organizations with controls tagged as “not applicable” because the organization disallows remote, wireless, and mobile access (respectively) but does not have a policy and “control procedures in place to ensure these capabilities are not enabled inadvertently,” will subtract 1 point for each instance of noncompliance.
• “Temporary deficiencies” that arise after implementation (e.g., a required patch invalidates FIPS validation) and that are (1) documented and tracked to resolution in the POAM and (2) “reasonable” in terms of its duration and mitigation to acceptable risk should be assessed as implemented.
• “Isolated enduring exceptions” (e.g., unique equipment that cannot meet the requirement) that are (1) described fully in the SSP and (2) mitigated to acceptable risk should be assessed as implemented.
Any requirements submitted in writing to DoD and approved as either not applicable or met by alternative equally effective security measures (e.g., if organizations followed the 252.204-7008 and 7012 processes) are considered to be fully implemented. The results of the assessment (type of assessment, date, score, and final date when a perfect score of 110 is expected by complete closure of all POAMs) are posted on the SPRS portal. New DFARS 252.204-7019 requires that only firms that have a current (not older than 3 years) DoD 800-171 Assessment score can be considered for award of a contract involving Controlled Unclassified Information (CUI).
While these requirements are the same as CMMC in terms of a prerequisite to be considered for an award, they will come into play much sooner than CMMC with one-third of RFIs/contracts scheduled for each FY 2021-2023. DoD also plans to select 200 contractors for Medium level assessments and 110 contractors for High level assessments each fiscal year. Contractors are required to make their facilities, systems, and personnel available to DoD for an 800-171 assessment when requested.
Managing your organization’s compliance initiatives requires knowing your data and systems, identifying staffing and funds for compliance work, and ensuring schedules are on-track to meet assessment timelines. With the DoD encouraging contractors to immediately conduct and submit a Basic Assessment, organizations need an experienced compliance partner to guide them through the 800-171 compliance process for this interim rule, and beyond, for CMMC. Knowledgeable compliance experts can help you ensure that efforts are best targeted to deliver quick turnaround to meet the CMMC Interim Rule while working effectively toward achieving appropriate levels of CMMC Compliance. Contact SecureIT today to discuss your next steps towards achieving compliance with the new DFARS 800-171 scoring requirement.