The basis for both DFARS and CMMC 2.0 frameworks is the 110 controls outlined in the National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171.

Full compliance begins with an assessment.

As the basis for both DFARS and CMMC 2.0, NIST 800-171 provides the road map for building a fully compliant information security program and maintaining it over time. DFARS/CMMC 2.0/NIST 800-171 compliance begins with an assessment.

Security assessment scoring against NIST 800-171

NIST 800-171 has 110 security controls, organized into 14 control families. Your assessment should specifically measure your compliance against each individual control using the NIST 800-171 DOD Assessment Methodology. The table below summarizes the families and the number of controls under each.

Access Control22
Audit and Accountability9
Awareness and Training3
Configuration Management9
Identification and Authentication11
Incident Response3
Media Protection9
Personnel Security2
Physical Protection6
Risk Assessment3
Security Assessment4
System and Communications Protection16
System and Information Integrity7

Key security
assessment outcomes

A properly executed assessment will provide a comprehensive analysis of how your systems score against NIST 800-171 security requirements. Two required outcomes are a System Security Plan (SSP) and Plan of Action and Milestones (POAM), which outline your system in detail and provide a prioritized list of any security threats, vulnerabilities or potential vulnerabilities as well as detailed remediation plans.

At the conclusion of the assessment, you should be able to answer these critical questions:

  • Where do we stand today against the NIST 800-171 security requirements?
  • How many POAMs do we need, based on the assessment?
  • When will our business be fully compliant, and how much is it going to cost?
  • What are the operations and maintenance costs of staying fully compliant over time?

The results of your assessment must be submitted through the DOD’s Supplier Performance Risk System, or SPRS, a web-based mechanism for housing and retrieving supplier performance information.

Trust an assessment and
compliance expert

The assessment process can be complex and time-consuming. CyberSheath is an expert. We have completed hundreds of NIST 800-171 assessments to date and counting.

Arrows and dots

Learn about CyberSheath assessment services