Basic (Contractor Self-Assessment) NIST SP 800-171 DoD Assessment
The Basic Assessment is the Contractor’s self-assessment of NIST SP 800-171 implementation status, based on a review of the system security plan(s) associated with covered contractor information system(s).
The Basic Assessment results in a confidence level of ‘Low’ in the resulting score
because it is a self-generated score.
Future Feed and Med/High Assessments
In FutureFeed a NIST 800-171 Medium and High are grouped together. Both require similar preparation, though the assessor will take a much deeper dive when conducting a High Assessment. In FutureFeed the preparation for these assessments is identical to the preparation for a CMMC assessment.
Both Medium and Hight Assessments are conducted by DoD Program Management Office cybersecurity personnel who have been trained in accordance with DoD policy and procedures to conduct the assessment. These assessments are conducted primarily as part of a separately scheduled visit (e.g., for a Critical Design Review).
Medium NIST SP 800-171 DoD Assessment
The assessment will consist of a review of the system security plan description of how each requirement is met to identify any descriptions which may not properly address the security requirements.
The Medium Assessment results in a confidence level of ‘Medium’ in the resulting score.
High NIST SP 800-171 DoD Assessment
The High Assessment is conducted using NIST SP 800-171A. The assessment will determine if the implementation meets the requirements by reviewing appropriate evidence and/or demonstration (e.g., recent scanning results, system inventories, configuration baselines, demonstration of multifactor authentication).
An on-site High NIST SP 800-171 DoD Assessment is the preferred methodology for a full evaluation of the risk to DoD CUI because of the ability to verify and validate the effectiveness of the safeguards that implement security requirements. However, a virtual High Assessment utilizes the same methodology as the on-site with added data protection processes enacted to protect the DIB data that is shared with assessment teams. In some cases, a follow-up on-site assessment of the items not assessed may be required or requested.
The first step in a High Assessment is for the contractor to conduct a Basic Assessment and submit results to the Department using the procedures in Annex B of this document. The High Assessment consists of a review of the Basic Assessment, a thorough document review and discussion with the contractor regarding the results to obtain additional information or clarification as needed, combined with government validation that the security requirements have been implemented as described in the system security plan. Network access by the assessor(s) is not required.
The High Assessment results in a confidence level of ‘High’ in the resulting score.