The calculation of the NIST 800-171 SPRS Score in FutureFeed is based on the guidance provided in the NIST SP 800-171 DoD Assessment Methodology, Version 1.2. The system is complex and weights each control at 1, 3 or 5 points. Scoring is weighted based on the impact on the security of the network and its data, so some requirements have more precedence over others when those requirements are not yet implemented.
|
Assessments are scored to reflect the net effect of security requirements not yet implemented. You start with a perfect score of 110. For each security requirement not met, the weighted value over the control is subtracted from your organization's score.
If all security requirements are added, a contractor is awarded a score of 110, consistent with the total number of NIST SP 800-171 security requirements. The lowest possible score is -203.
While CMMC requires that all controls be satisfied, the SPRS system allows for POA&M actions, but does require the submission of the projected delivery date for plan completion.
FutureFeed builds both the SSP and the POA&M automatically as the assessment is completed.
More Details
0-Point REQUIRED Control
The contractor must have a system security plan (Basic Security Requirement 3.12.4) in place to describe each covered contractor information system, and a plan of action (Basic Security Requirement 3.12.2) in place for each unimplemented security requirement to describe how and when the security requirement will be met.
Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and
noncompliance with DFARS clause 252.204-7012.
5 Point Controls
Basic Security Requirements with a value of 5 points include 3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.3.1, 3.4.1, 3.4.2, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.7.2, 3.8.3, 3.9.2, 3.10.1, 3.10.2, 3.12.1, 3.12.3, 3.13.1, 3.13.2, 3.14.1, 3.14.2, and 3.14.3.
Derived Security Requirements with a value of 5 points include 3.1.12, 3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.3.5, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.10, 3.7.5, 3.8.7, 3.11.2, 3.13.5, 3.13.6, 3.13.15, 3.14.4, and 3.14.6.
3 Point Controls
Basic Security Requirements with a value of 3 points include 3.3.2, 3.7.1, 3.8.1, 3.8.2, 3.9.1, 3.11.1, and 3.12.2.
Derived Security Requirements with a value of 3 points include 3.1.5, 3.1.19, 3.7.4, 3.8.8, 3.13.8, 3.14.5, and 3.14.7.
1-Point Controls
All remaining Derived Security Requirements, if not implemented, have a limited
or indirect effect on the security of the network and its data.
Partial Credit - Two Special Controls
Multi-factor authentication (MFA) (Security Requirement 3.5.3) is typically implemented first for remote and privileged users (since these users are both limited in number and more critical) and then for the general user, so 3 points are subtracted from the score of 110 if MFA is implemented only for remote and
privileged users; 5 points are subtracted from the score of 110 if MFA is not implemented for any users.
FIPS validated encryption (Security Requirement 3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but is not FIPS validated, 3 points are subtracted from the score of 110; if encryption is not employed, 5 points are subtracted from the score of 110.
Comments
0 comments
Please sign in to leave a comment.