Blog

Navigating NIST SP 800-171: Key Steps for Basic Assessment & SPRS Submission

Posted by: Jenna Brankin October 28, 2020 CMMC, Cybersecurity
Navigating NIST SP 800-171: Key Steps for Basic Assessment & SPRS Submission

Adherence to NIST SP 800-171 is essential for organizations within the Defense Industrial Base (DIB). The cybersecurity landscape continues to evolve, necessitating constant vigilance due to emerging threats and regulatory changes. Accurately understanding and reporting your compliance status is now more critical than ever. This guide outlines the updated key steps for performing a NIST SP 800-171 Basic Assessment and submitting results to the Supplier Performance Risk System (SPRS). We will explore the latest requirements, tackle common issues, and provide actionable insights to prepare your organization effectively. With the arrival of CMMC 2.0 and its implications for the DIB, it is increasingly important to comprehend how NIST SP 800-171 integrates with various CMMC levels. 

Understanding the Significance of NIST SP 800-171 

NIST SP 800-171 stipulates the security protocols necessary for safeguarding Controlled Unclassified Information (CUI) within nonfederal systems and organizations. Compliance is vital for businesses managing CUI, particularly those collaborating with the Department of Defense (DoD). The introduction of CMMC 2.0 enhances the value of NIST SP 800-171 as it constitutes the core security requirements for various CMMC levels. Regularly reviewing the updated NIST SP 800-171 documentation is key to adapting to new threats and refining security measures. Staying informed about these changes is crucial for maintaining compliance and security. 

The Dynamic Interaction Between NIST SP 800-171 and CMMC 2.0 

CMMC 2.0 extends the framework established by NIST SP 800-171, providing a tiered approach for evaluating and certifying the cybersecurity maturity of DIB contractors. Grasping the connection between these frameworks is critical for managing compliance requirements. NIST SP 800-171 is the baseline for CMMC Level 2, mandating organizations to comply with all 110 security controls. As CMMC 2.0 implementation progresses, organizations must remain aware of updates to the framework that may alter their compliance responsibilities. 

Step #1: Get a CAGE Code

A Commercial and Government Entity (CAGE) code is a basic requirement for engaging with the U.S. federal government, including the DoD. This unique five-character identification code is vital for SPRS reporting. New organizations entering the federal contracting space can acquire a CAGE code via the System for Award Management (SAM.gov). For international businesses, NATO CAGE (NCAGE) codes fulfill the same role. It is essential to accurately tie your CAGE code to your System Security Plans (SSPs) within SPRS, as this is fundamental for proper compliance tracking. 

Key Points to Remember: 

  • CAGE codes are necessary for SPRS submissions. 
  • Acquire your CAGE code from SAM.gov (or NCAGE for international firms). 
  • Properly link your CAGE code to your SSPs for accurate records. 
  • Keep your CAGE code active and updated. 

Step #2: Conduct and Score the Basic Assessment

Regularly performing a NIST SP 800-171 Basic Assessment is crucial for keeping your compliance status accurate. While self-assessments are allowed, it is highly advisable to engage third-party cybersecurity experts for validation. This third-party evaluation helps pinpoint vulnerabilities in your security posture. Use the latest NIST SP 800-171 guidelines and scoring methodology. Ensure that your System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) are current and reflective of your security status. Use automated tools to facilitate the assessment and reduce the likelihood of errors. Accurate scoring is vital for maintaining trust with the DoD and understanding how your scores correlate with CMMC levels. 

Key Points to Remember: 

  • Continually update your SSPs and POA&Ms to mirror your security status. 
  • Seek third-party validation for objectivity and correctness. 
  • Follow the most recent NIST SP 800-171 scoring guidelines and tools. 
  • Accurate scoring is crucial for maintaining DoD trust and eligibility for contracts. 

Step #3: Submit to SPRS

The Supplier Performance Risk System (SPRS) is the primary platform for reporting your NIST SP 800-171 Basic Assessment scores. Ensure your organization’s SPRS submissions are refreshed at least every three years or sooner if significant changes arise. Access SPRS via the Procurement Integrated Enterprise Environment (PIEE) using the appropriate SPRS Cyber Vendor Role. Diligently verify all information entered, including your CAGE code, assessment date, score, and projected completion date for any pending POA&Ms. Stay updated regarding any changes to SPRS reporting requirements, as the system is subject to evolution. 

Key Points to Remember: 

  • SPRS is the official platform for tracking NIST SP 800-171 scores. 
  • Updates must occur at least every three years, or more if necessary. 
  • Access SPRS through PIEE with the correct roles. 
  • Ensure data accuracy to prevent discrepancies. 
  • Keep informed about updates to SPRS protocols. 

The Dangers of Inaccurate Reporting 

Submitting incorrect NIST SP 800-171 Basic Assessment scores to SPRS can lead to significant consequences. Inaccuracies may result in: 

  • Exclusion from future DoD contracts, limiting growth opportunities. 
  • Heightened scrutiny from the DoD, possibly leading to audits and investigations. 
  • Legal repercussions under the False Claims Act, which can incur hefty financial penalties. 
  • Harm to your organization’s reputation, diminishing trust among clients and partners. 

The Necessity of Ongoing Monitoring 

Achieving NIST SP 800-171 compliance is not a one-off task. Continuous monitoring of your security measures is vital for maintaining compliance and addressing emerging threats. Regular security evaluations, vulnerability assessments, and penetration tests are essential for detecting and reducing potential risks. 

NIST SP 800-171 and SPRS Demands Precision 

Successfully navigating NIST SP 800-171 compliance and SPRS reporting demands diligence, precision, and ongoing enhancement. By adhering to these pivotal measures and keeping up to date with the latest guidelines, your organization can sustain a robust security framework and ensure ongoing eligibility for DoD contracts. Investing in cybersecurity expertise and resources is essential for achieving and preserving compliance amidst evolving threats and regulations. 

Contact Exostar About Our CMMC Ready Suite 

Guarantee your organization’s NIST SP 800-171 compliance. Reach out to the experts at Exostar to get information about our CMMC Ready Suite to find out how we can help you prepare for CMMC 2.0 and become compliant. We’re here to help.