Using NIST SP 800-171A to Perform Self-Assessments and Scoring under the New DFARS Cybersecurity Rule

NISTYou are probably well aware at this point that the Department of Defense has published new (interim) cybersecurity rules (effective November 30, 2020). Much of the press around this announcement has been about the Cybersecurity Maturity Model Certification (CMMC). However, it is unknown when and to whom CMMC will apply over the next five years. (Don’t worry, you’ll get your turn).

What is known though is this: contractors that possess or wish to possess Controlled Unclassified Information (CUI) will have to conduct a self-assessment against NIST SP 800-171 and submit their scores to the DoD. Per the rule, the self-assessment should be done in accordance with the NIST SP 800-171 DoD Assessment Methodology, which can be found here.

What many people may not realize is that the assessment methodology requires the use of NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.”

If you’ve never taken the opportunity to look at NIST SP 800-171A, it’s a bit more extensive than a high-level reading of NIST SP 800-171 might lead you to believe. 171A breaks each 171 requirement down into specifics.

3.1.22 is a good example:

“Control CUI posted or processed on publicly accessible systems”

This seems pretty straight forward.

Going a bit further and pulling the example for the equivalent practice from CMMC, AC.1.004: “You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to their website.”

Again, straight forward and a really good idea.

NIST SP 800-171A though is a little bit more particular about what should be in place. Below is taken directly from 800-171A. These are the wickets you should be hitting to consider the control fully implemented:

ASSESSMENT OBJECTIVE

Determine if:

3.1.22[a] individuals authorized to post or process information on publicly accessible systems are identified.
3.1.22[b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.
3.1.22[c] a review process is in place prior to posting of any content to publicly accessible systems.
3.1.22[d] content on publicly accessible systems is reviewed to ensure that it does not include CUI.
3.1.22[e] mechanisms are in place to remove and address improper posting of CUI

As you can see, a response that only the administrator/marketing director/etc. can post to our website, does not really hit the mark when it comes to what is required.

A key issue we see when we review security programs are that many roles, functions, and processes have not been formally defined. Typically, companies are doing the right thing, they just haven’t had the opportunity to write down the procedures or practices.

Based on the DoD requirements it is now imperative that the resources are allocated to formalize the program.

More Information

For more information, read our related blog: DoD Now to Require Cybersecurity Self-Assessments with New DFARS Rule (October 1, 2020).

 How Sera-Brynn Can Help

If you plan on performing a self-assessment against NIST SP 800-171, use NIST SP 800-171A.

Sera-Brynn analysts are available to help.

Contact us at info@sera-brynn.com.


The author, Colin Glover, is a principal and senior security analyst at Sera-Brynn, LLC.