As the U.S. Department of Defense seeks to secure its supply chain, cybersecurity remains front and center, especially when it comes to protecting controlled unclassified information (CUI) and federal contract information (FCI).
Last September, DOD issued an interim rule that started the process of rolling out the new Cybersecurity Maturity Model Certification (CMMC) program – and implemented an updated NIST 800-171 Assessment Methodology.
As of November 30, 2020, a contracting officer must check the Supplier Performance Risk System (SPRS) before awarding or renewing a contract to confirm the selected company has a current NIST 800-171 assessment using this methodology. The NIST 171 Assessment Methodology uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor.
While the roll out of CMMC is expected to take 5 years, many of the practices required in NIST 800-171 are also required practices in CMMC level 3 and above. Your company can get a jumpstart on its CMMC preparation by implementing NIST 171.
The DFARS 7012 rule and the associated NIST 800-171 requirements can generate a lot of questions. That’s why Celerium developed our NIST Q&A site. We provide answers to many common questions about NIST 800-171, and many of the answers have been provided directly by the Defense Contract Management Agency (DCMA). Best of all, the site is completely free!
The NIST Q&A site provides answers to questions related to topics including:
- NIST 800-171 vs. CMMC
- Scoring and assessments
- CUI
- SPRS
- Small business
- Legal questions related to NIST 800-171
Learn how NIST 800-171 relates to CMMC, as well as legal issues and other specific facets of NIST 800-171 and rule 7012. Be sure to check out our NIST 800-171 Self-Assessment Tool as well to check how well your organization meets the requirements.
