The basis for both DFARS and CMMC 2.0 frameworks is the 110 controls outlined in the National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171.
Security assessment scoring against NIST 800-171
NIST 800-171 has 110 security controls, organized into 14 control families. Your assessment should specifically measure your compliance against each individual control using the NIST 800-171 DOD Assessment Methodology. The table below summarizes the families and the number of controls under each.
CONTROL FAMILIES | TOTAL CONTROLS |
---|---|
Access Control | 22 |
Audit and Accountability | 9 |
Awareness and Training | 3 |
Configuration Management | 9 |
Identification and Authentication | 11 |
Incident Response | 3 |
Maintenance | 6 |
CONTROL FAMILIES | TOTAL CONTROLS |
---|---|
Media Protection | 9 |
Personnel Security | 2 |
Physical Protection | 6 |
Risk Assessment | 3 |
Security Assessment | 4 |
System and Communications Protection | 16 |
System and Information Integrity | 7 |
Key security
assessment outcomes
A properly executed assessment will provide a comprehensive analysis of how your systems score against NIST 800-171 security requirements. Two required outcomes are a System Security Plan (SSP) and Plan of Action and Milestones (POAM), which outline your system in detail and provide a prioritized list of any security threats, vulnerabilities or potential vulnerabilities as well as detailed remediation plans.
At the conclusion of the assessment, you should be able to answer these critical questions:
- Where do we stand today against the NIST 800-171 security requirements?
- How many POAMs do we need, based on the assessment?
- When will our business be fully compliant, and how much is it going to cost?
- What are the operations and maintenance costs of staying fully compliant over time?
The results of your assessment must be submitted through the DOD’s Supplier Performance Risk System, or SPRS, a web-based mechanism for housing and retrieving supplier performance information.
Trust an assessment and
compliance expert
The assessment process can be complex and time-consuming. CyberSheath is an expert. We have completed hundreds of NIST 800-171 assessments to date and counting.