<img src="https://ws.zoominfo.com/pixel/cEO5AncHScwpt6EaX0mY" width="1" height="1" style="display: none;">
Skip to main content

How to use CMMC Academy's Free NIST 800-171 Assessment Tool

Overview

Business Overview:
All defense contractors and subcontractors to submit the score of a Basic NIST 800-171 DoD Assessment (Self-Assessment), using the NIST 800-171 DoD Assessment Methodology, in the Supplier Performance Risk System (SPRS) prior to any contract award. CMMC Academy’s NIST 800-171 Assessment Tool is based on the NIST 800-171 DoD Assessment Methodology Version 1.2.1 and was specifically developed to help DoD suppliers meet this requirement.

Technical Overview:
Before using this tool make sure that you have a current System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Benefits_Icon

Things to Know

It is important to note when using the CMMC Academy’s NIST 800-171 tool, an SSP is required or a ZERO score will be reflected. This is consistent with DFARS clause 252-204-7012 where an SSP is required for compliance.

Need help using the tool? Contact us!

Using CMMC Academy’s 800-171 Self-Assessment Tool:

  • To use CMMC Academy’s 800-171 Self-Assessment Tool you simply indicate whether each of the 110 security requirements is either Implemented or Not Implemented in your organization.
  • If all security requirements are implemented, you will receive a score of 110, consistent with the total number of NIST 800-171 security requirements. For each security requirement not implemented, a value of 1, 3 or 5 is subtracted from 110 based on the weighted importance of each specific security requirement.
  • Since the score of 110 is reduced by each requirement not implemented, the final score reflects the net effect of security requirements not yet implemented. You are expected to achieve a score of 110 by the time of contract award.
Prior to responding to the 110 security requirements, please be sure to answer “Yes” or “No” to the 3 CUI Storage related questions and the 5 Configuration questions related to your implementation of the specified security requirements (ie, MFA, FIPs cryptography, remote access, mobile device connections). Responses to the Configuration questions directly impact your score – either 0, 3, or 5 points are subtracted based on your responses to these questions.