Conducting a NIST 800-171 self-assessment — also known as a CMMC self-assessment or SPRS assessment — is a critical component of DFARS 252.204-7019 compliance. As a contractor, you’ll need to evaluate your organization against all 320 objectives and upload your score to the Supplier Performance Risk System (SPRS).
In this guide, we’ll break down all the steps required to complete a successful assessment, including evaluating your System Security Plan (SSP), scoring your results, generating POA&Ms, and more.
What You Need to Conduct a NIST 800-171 Self-Assessment
Before you begin your assessment, gather the following items:
- An operational System Security Plan (SSP)
- Any existing plans, policies, and procedures
- A copy of NIST SP 800-171a
- The DOD Assessment Methodology
- A list of subject matter experts
- A can-do, proactive attitude
Don’t have an SSP? Create one and get it approved. This is required to submit a summary self-assessment score within the SPRS portal.
How to Conduct a NIST 800-171 Self-Assessment
1. Evaluate the SSP
The first step to conducting your self-assessment is to evaluate your SSP against the CMMC Assessment Guide (CA.L2-3.12.4) or NIST 800-171 to ensure the assessment objectives are implemented.
To conduct this evaluation, assess each security requirement at the assessment-objective level. For example, when assessing 3.12.4, determine if you have evidence documenting that (a) through (h) have been implemented. Evidence can include items such as a policy statement, a process or procedure, a technical solution, or a configuration item within a technical security control.
2. Examine
When evaluating your SSP, you’ll want to review existing evidence, including policies, to make sure they trace back to any security requirement/controls. Be sure to examine supporting processes and procedures as well.
3. Interview
To gather more information, interview the data owner, process owner, operators, business lead, or anyone with responsibility and knowledge about the implemented control.
4. Test
Observe the end-to-end process, validating the intended output is achieved. This may apply only to a subset of controls.
The DoDAM requires at least one of these methods – examine, interview, or test – to be performed to assess a particular control. SP6 recommends performing at least two. These three items are covered within the CMMC Assessment Guide:
5. Score the Results/Findings
The CMMC Level 2 Assessment Guide has three possible findings: Met, Not Met, or Not Applicable. Here’s how the CMMC Assessment Guide defines each one:
- MET: “The contractor successfully meets the practice. For each practice marked MET, the Certified Assessor includes statements that indicate the response conforms to all objectives and documents the appropriate evidence to support the response.”
- NOT MET: “The contractor has not met the practice. For each practice marked NOT MET, the Certified Assessor includes statements that explain why and documents the appropriate evidence that the contractor does not conform fully to all of the objectives.”
- NOT APPLICABLE (N/A): “The practice does not apply for the assessment. For each practice marked N/A, the Certified Assessor includes a statement that explains why the practice does not apply to the contractor. For example, SC.L1-3.13.5 might be N/A if there are no publicly accessible systems.”
6. Prepare the Final Report
After you complete your assessment, you’ll need to document the results in a centralized final report.
7. Create Plans of Action and Milestones
One of the most crucial outcomes of your NIST 800-171 self-assessment is the Plan of Action and Milestones (POA&M).
To ensure your efforts are recognized:
- Obtain a confirmation letter from a Certified CMMC Assessor, ideally one associated with a Registered Provider Organization (RPO) and accredited by the Cyber AB. This step ensures that you get tailored advice on addressing any gaps identified in the POA&M, moving beyond generic solutions.
- Perform a risk assessment on any identified gaps or new opportunities. Link these findings back to your business objectives and discuss them with your stakeholders.
- Prioritize critical and high-impact tasks, but also tackle the “low-hanging fruit” – those improvements that are straightforward and do not require significant investment in new technology.
With a clearly defined scope, a robust operational System Security Plan, and a shared responsibility matrix, you’re well on your way to achieving compliance and enhancing your security posture.
Get Expert Help Conducting a NIST 800-171 Self-Assessment
Without the right expertise, it’s extremely difficult to get an accurate self-assessment score. In fact, according to the Cyber AB, organizations over-score themselves by an average of 113 points.
Working with a Registered Provider Organization like SP6 is the best way to ensure accurate results. Our Certified CMMC Professionals and Assessors have 15+ years of experience helping companies achieve compliance with meticulous security standards like NIST 800-171.
Talk with one of our experts to discover which of our customized DFARS and CMMC services are right for your organization.
