NIST SP 800-171 DOD ASSESSMENT METHODOLOGY (DAM), VERSION1.2.1

Chris NewbornDAU Cybersecurity Enterprise Team

Webcast - Why

Targeted for Acquisition Workforce Members (AWF) who are responsible to:

• Deliver secure and resilient systems• Determining cybersecurity requirements

2

Webcast - Why

Provides a forum to bring the right set of disciplines together to provide clarification regarding:

• AWF’s roles & responsibilities implementing the DFARS Clause and transitioning to the CMMC process

• Migration from current security requirements to the new CMMC process

• Challenges & issues concerning the implementation and execution of DFARS Clause on current and future procurements and the migration to the CMMC process

3

Webcast - Series Restart

The DFARS /CMMC webcast series will restart 25 Aug 2020. Possible subjects /topics:

• DFARS /CMMC Overview• CMMC Level Selection• CMMC AB Roles & Responsibility /Certification Process• CMMC RFI /RFP Implementation• DFARS /CMMC Limited Dissemination Control (LDC)/

CUI Export Information

4

Outline

• Current Policy - DFARS• Future Process - CMMC• CMMC Roles & Responsibilities• DoD Assessment Methodology

- Overview- Scoring Methodology- Scoring- DIBCAC Result- DIBCAC Assessment Status- Stakeholder’s Roles & Responsibilities

• Summary5

Current Policy – DFARS Clause 252.204-7012

Requires the program office/requiring activity to:• Mark or otherwise identify in the contract, task order, or delivery

order Controlled Unclassified Information (CUI)

Requires the contractor/subcontractor to:• Provide adequate security to safeguard CUI• Report cyber incidents• Flow down the clause in subcontracts

6

Future Process - CMMC

A certification process that measures a DefenseIndustrial Base (DIB) company’s ability to protectFederal Contract Information (FCI) & CUI, within the supply chain

Combines cybersecurity standards and maps practices and processes to maturity levels; from “basic cyber hygiene” to “highly advanced”

Builds from existing regulation and guidelines (48 Code of Federal Regulations (CFR) 52.204-21, DFARS 252.204-7012, NIST SP 800-171 & NIST SP 800-171B)

7

CMMC Roles/Responsibilities

Requires the program office/requiring activity to:• Identify FCI/CUI Data and Marking Requirements• Develop/Update Security Classification Guide (SCG) and

Program Protection Plan (PPP)• Identify CMMC Level(s)

Requires the contractor/subcontractor to:• Develop/Update Artifacts/Deliverables per RFI/RFP• Request C3PAO to perform CMMC assessment• Develop Supply Chain/Tier 1 & below Contractor Support

Agreements8

Why DAM?

Executives /Project Managers /Contract Managers• Develop certification strategy and scope

o Subnetwork / Enclaves to support Supply Chaino Identification of CMMC Level III (CUI) and Level I (FCI) subcontractors and associated CMMC

deliverables• Develop contract artifacts/deliverables per RFI/RFP to include contractual flow down requirement

• Perform self-assessment to confirm CMMC Level requirements are 'fully' implemented and ready for 3rd party assessor

• Request C3PAO to perform CMMC assessment• Develop draft response to RFI identifying possible CMMC compliance challenges• Develop Supply Chain /Tier 1 Contract Support Agreements

9

CMMC Roles & Responsibilities - Prime/Subs:

NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1

Standard approach to “strategically” assess and document contractor's implementation of NIST SP 800-171Assessment measures the extent to which a company has implemented the security in NIST SP 800-171• Results based on what, if anything, is not yet implemented• Results do not reflect specific implementation approach or compare

solutions • All solutions that meet the NIST SP 800-171 requirements are acceptable

Consists of three levels of assessments to reflect the depth of the assessment and the associated level of confidence in assessment results (Basic, Medium, and High)

10

DoD Assessment Changes Enacted Since COVID-19 Restrictions

DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) partnered with the DIB conducted Pilot NIST SP 800-171 DoD AssessmentsFundamental concepts learned post pilot resulted in refinements to the assessment process• Standardization of assessment methodology• Need for reciprocity• Repeatable processes and assessment rigor• Scoring consistency across DOD no mater which DoD entity conducts assessment

Additional changes were enacted due to COVID-19 and DoD enacted travel restrictions• DCMA pivoted methodology• Continued assessment mission virtually• Kept same standard and rigor for Assessments Virtual High Assessments are born• The NIST SP 800-171 DoD Assessment Methodology Version 1.2 documents these changes

1111

NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1

Levels of AssessmentBasic Medium High – Virtual High – Onsite

Assessments conducted by:

• Contractor(self-assessment)

• Contractor and DoD Component personnel trained IAW DCMA/DIBCAC procedures

• Contractor and DoD/DCMA personnel trained IAW DCMA/DIBCAC procedures

• Contractor and DoD/DCMA personnel trained IAW DCMA/DIBCAC procedures

Assessments conducted IAW NIST SP 800-171A and consist of:

• Review/Score:‒ System Security Plan(s)‒ Plan(s) of Action

• Review/Score:‒ System Security Plan(s)‒ Plan(s) of Action

• Discussion/Interviews

• Review/Score:‒ System Security

Plan(s)‒ Plan(s) of Action

• Discussion/Interviews• Review Documentation

• Review/Score:‒ System Security

Plan(s)‒ Plan(s) of Action

• Discussion/Interviews• Review Documentation• Onsite Review

Results ‒ Relevant to every contract supported by the assessed covered contractor information system(s)

• ‘Low’ level of confidencein resulting score

• ‘Medium’ level of confidence in resulting score

• ‘High’ level of confidencein resulting score

• ‘High’ level of confidencein resulting score

Scoring methodology is consistent across all levels of assessment

12

NIST SP 800-171 DoD Assessment Scoring Methodology

If all requirements are met, a score of 110 is awarded • For each requirement not met, the associated value is subtracted from 110

(which may result in a negative score)• Security requirements are weighted based on the impact to the information system and the

DoD CUI when that requirement is not implemented• Absence of a system security plan will result in a finding that ‘assessment could not be completed

due to incomplete information and noncompliance with DFARS clause 252.204-7012’• Security requirements not implemented, whether a plan of action is in place or not, will be

assessed as ‘not implemented’ (with the exception of any enduring exceptions to the requirements to accommodate special circumstances (e.g., medical devices), or any individual, isolated or temporary deficiencies)

Implemented security measures adjudicated by the DoD CIO as equally effective, or approved as ‘not applicable,’ will be assessed as ‘met,’ with no deduction

13

NIST SP 800-171 DoD Assessment Scoring Methodology

Security Requirement Value Comment3.1.17 Protect wireless access using

authentication and encryption.5 Do not subtract points if

wireless access not permitted

3.4.9 Control and monitor user-installed software

1

3.5.2* Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

5

3.5.3 Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non-privileged accounts.

3 to 5 Subtract 5 points if MFA not implemented. Subtract 3 points if implemented for remote and privileged users, but not the general user

3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

3 Exposure limited to CUI on media

* Basic safeguarding requirements and procedures to protect covered contractor information systems per Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

NIST SP 800-171 DoD Assessment Scoring Template• Weighted requirements include all

‘Basic’ Security Requirements and a subset of ‘Derived’ Requirements

• If not implemented, points subtracted from score of 110 as follows:

‒ 5 points for requirements that could lead to significant exploitation of the network, or exfiltration of DoD CUI

‒ 3 points for ‘Basic’ and ‘Derived’ requirements that have specific and confined effect on security of the network and its data

‒ 1 point for remaining ‘Derived’ requirements (limited impact/indirect effect on security of network/data

14

Basic AssessmentContractor's self- assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s), and conducted in accordance with Section 5 and Annex A of this document.• Results in a confidence level of 'Low ' in the resulting score

because it is a self-generated score.

15

Medium Assessment• Conducted by DoD personnel who have been trained in

accordance with DoD policy and procedures to conduct the assessment.

• The first step - Contractor conducts a Basic Assessment and submit results to the Department.

• Assessment consists of a review of the Basic Assessment and a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed.

• Assessment results in a confidence level of 'Medium' in the resulting score.

16

High Assessment• Conducted by DoD personnel, requires a thorough on-site verification

/examination /demonstration of the Contractor's system security plan and implementation of the NIST SP 800-171security requirements.

• The first step - Contractor conducts a Basic Assessment and submit results to the Department.

• Assessment consists of a review of the Basic Assessment, a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed, combined with government validation that the security requirements have been implemented as described in the system security plan. Network access by the assessor(s) is not required.

• Assessment uses NIST SP 800-171A and determines if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).

• Assessment results in a confidence level of 'High' in the resulting score.17

DoD Assessment Scores

18

• Score of 110 = Full implementation of ALL 110 NIST 800-171 Reqts

• Subtractive & Weighted scoring between 1 to 5 points off for every unimplemented reqt.

• You could be 80% done, and still score ZERO (or even have a negative score)

• Suppliers should be scored on the same scale, and be ready to share their SSPs and/or undergo 171-A evidence-based validation when requested

Cybersecurity Scoring with the Assessment

• Weighted requirements include all of the fundamental NIST SP 800-171 'Basic Security Requirements' - high-level requirements which, if not implemented, render ineffective the more numerous 'Derived Security Requirements'; and a subset of the 'Derived Security Requirements' -requirements that supplement the Basic Security Requirements - which, if not implemented, would allow for exploitation of the network and its information

• For security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of DoD CUI, 5 points are subtracted from the score of 110

- Basic Security Requirements with a value of 5 points include 3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.3.1, 3.4.1, 3.4.2, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.7.2, 3.8.3, 3.9.2, 3.10.1, 3.10.2, 3.12.1, 3.12.3, 3.13.1, 3.13.2, 3.14.1, 3.14.2, and 3.14.3.

- Derived Security Requirements with a value of 5 points include 3.1.12, 3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.3.5, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.10, 3.7.5, 3.8.7, 3.11.2, 3.13.5, 3.13.6, 3.13.15, 3.14.4, and 3.14.6.

19

Cybersecurity Scoring with the Assessment

• For Basic and Derived Security Requirements that have a specific and confined effect on the security of the network and its data, 3 points are subtracted from the score of 110

- Basic Security Requirements with a value of 3 points include 3.3.2, 3.7.1, 3.8.1, 3.8.2, 3.9.1, 3.11.1, and 3.12.2.

- Derived Security Requirements with a value of 3 points include 3.1.5, 3.1.19, 3.7.4, 3.8.8, 3.13.8, 3.14.5, and 3.14.7.

• All remaining Derived Security Requirements have a limited or indirect effect on the security of the network and its data. For these, 1 point is subtracted from the score of 110

20

Documenting NIST SP 800-171 DoD Assessment Results

21

• Summary level assessment scores will be posted in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility to the results of:

‒ Basic (self) assessments completed by the Contractor

‒ Medium and High assessments conducted by DoD

• DoD Components should rely on scores posted in SPRS in lieu of including requirements to assessimplementation of NIST SP 800-171 on a contract-by-contract basis.

• Authorized Contractor representatives may access SPRS to view their ownresults

Results posted in SPRS for each system security plan assessed:

• The standard assessed (e.g., NIST SP 800-171 Rev 1)

• Organization conducting assessment (identified by DoD Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code)

• Each information system/system security plan assessed, mapped to associated CAGE code(s)

‒ If contractor has multiple system security plans and/or CAGE codes, all CAGE codes must be mapped to appropriate system security plan(s)

• Date and level of assessment, i.e., Basic, Medium, High (Virtual) or High (Onsite)

• Summary level score (e.g., 105 out of 110)

• Date score of 110 will be achieved based on information gathered from associated plan(s) of action

21

Status of Results Posted in SPRS

Results for 114 Basic, Medium, and High NIST SP 800-171 DoD Assessments posted in SPRS, representing 71 companies• Basic – 78• Medium – 8• High – 28

Go to https://www.sprs.csd.disa.mil for information on how to access

22

DIBCAC Assessments Status Update

23

Stakeholder Roles and Responsibilities -NIST SP 800-171 DoD Assessment

Program Offices CISOs, CIOs, and

IT Security Specialists

Contracting Community DCMA Defense

Industrial Base

Conduct Basic (self-assessment) NIST SP 800-171 DoD Assessment

Partner with DIBCAC and DoD

Components to complete

Medium or High DoD Assessments

Further contractual requirements pending

publication of DFARS Case 2019-D041, Strategic

Assessment and Cybersecurity Certification

RequirementsWhen warranted as part of overall risk decision, partner with DCMA

DIBCAC* to conduct Medium or High NIST SP 800-171 DoD Assessments

DIBCAC* to partner

with DIB and DoD Components

to conduct Medium or High

DoD Assessments

Assess/address acceptable level of risk should cyber incident on contractor’s information system impact DoD CUI:

• Check SPRS for results of completed NIST SP 800-171 DoD Assessments

• See DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented

Augment solicitation and/or contracts with

enhanced requirements when necessary to address

risk

As part of contract oversight - verify system security

plans/associated plans of action

are in place

Complete System Security Plan(s) and associated

Plan(s) of Action to demonstrate

implementation of NIST SP 800-171

* DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), established to ensure contractor compliance with cybersecurity standards

24

Summary

• NIST SP 800-171 DoD Assessment Methodology- Applicable to NIST SP 800-171 security requirements- Can be used to evaluate past performance

/compliancy- Should be a RFP entry /submission requirement

• Each Command /Procuring Activity should validate /verify their primes and/or subs have performed assessments and uploaded in the Supplier Performance Risk System (SPRS)

25

The slides and question will be posted at

xxxxx

And the recording will be posted athttps://www.dau.edu/dau-webcasts

26

Survey: xxxx

27

For additional questions, please contact Chris Newborn at

chris.newborn@dau.edu or 619-370-3076

28