Notice of NIST SP 800-171 DoD Assessment Requirements
In 2023, a new DFARS clause, an interim rule, DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements, was introduced specifically to require defense contractors to comply with the current NIST SP 800-171. This clause plays a crucial role as a Solicitation Provision, informing contractors during the Request for Proposal (RFP) or Request for Quotation (RFQ) phase that they must maintain a Supplier Performance Risk System (SPRS) Score. This score is essential not only for assessing a contractor’s performance but also for determining their eligibility for contract awards. The implementation of this clause emphasizes the Department of Defense’s commitment to ensuring that contractors provide adequate security security and risk management, which is vital for protecting controlled unclassified information and unclassified controlled technical information. As such, contractors should be proactive in understanding and meeting these requirements to enhance their competitive edge in the bidding process and to keep their eligibility for contract award.
DFARS 7019 Requirements
Defense contractors are required to conduct a comprehensive Security Assessment that aligns with the standards set forth in NIST SP 800-171 3.12.1, which focuses on Security Control Assessment. This assessment should adhere to the guidelines detailed in NIST SP 800-171A: Assessing Security Requirements for CUI. Additionally, it is imperative to incorporate the DoD Assessment Methodology, which provides a structured approach to evaluating the security posture of the organization. When it comes to reporting results in the SPRS System (Supplier Performance Risk System), it is important to note that your current assessment score must be updated and cannot be older than three (3) years unless a shorter timeframe is explicitly specified in the solicitation. This ensures that all contractors are continually meeting the latest security requirements and maintaining a robust security framework to protect sensitive data. Failure to comply with these requirements may result in suspension or disqualification from future contract awards.
NOTE: Guides on NIST SP 800-171A, DoD Assessment Methodology, and how to conduct a Basic Security Assessment will be coming soon!
Assessment Levels
There are three (3) Assessment level that you will need to be aware of: Basic, Medium, and High Assessment.
A Basic Assessment is a contractor’s self-assessment that utilize NIST SP 900-171A and the DoD Assessment Methodology to determine the implementation of NIST SP 800-171.
- is based on the contractor’s review of their system security plan(s) associated with covered contractor information system(s)
- is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology (including NIST 800-171A)
- Results in a confidence level of “Low” in the resulting score, because it is a self-generated score
Medium Assessment is an assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
- A review of a contractor’s Basic Assessment
- a thorough document review
- Discussions with the contractor to obtain additional information or clarification, as needed
- Results in a confidence level of “Medium” in the resulting score
High Assessment is an assessment that is conducted by Government personnel (DIBCAC) using NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information.
- A review of a contractor’s Basic Assessment
- A thorough document review
- verification, examination, and demonstration of a Contractor’s system security plan to validate the NIST SP 800-171 security requirements have been implemented as described in the contractor’s security plan
- discussions with the contractor to obtain additional information or clarification, as needed
- Results in a confidence level of “High” in the resulting score
Submitting Your SPRS Score
Once the defense contractor has completed their assessment the required level the RFP/RFQ requires, they should be in compliance with DFARS 7019. If you have not completed your assessment or do not have any System Security Plans (SSP). Please address this as soon as possible to be in compliance with DFARS 7012 and 7019. The covered contractor information system will need to be configured to NIST 800-171/NIST 800-171A and assessed with NIST SP 800-171A and the DoD Assessment Methodology before completing your Basic Assessment per DFARS 7019.
NOTE: Guides on NIST SP 800-171A, DoD Assessment Methodology, and how to conduct a Basic Security Assessment, How to conduct a Security Assessment, how to calculate your SPRS Score, How to submit SPRS Score!