<img src="https://ws.zoominfo.com/pixel/cEO5AncHScwpt6EaX0mY" width="1" height="1" style="display: none;">
Skip to main content

How to use CMMC Academy's Free NIST 800-171 Assessment Tool


Business Overview:
All defense contractors and subcontractors to submit the score of a Basic NIST 800-171 DoD Assessment (Self-Assessment), using the NIST 800-171 DoD Assessment Methodology, in the Supplier Performance Risk System (SPRS) prior to any contract award. CMMC Academy’s NIST 800-171 Assessment Tool is based on the NIST 800-171 DoD Assessment Methodology Version 1.2.1 and was specifically developed to help DoD suppliers meet this requirement.

Technical Overview:
Before using this tool make sure that you have a current System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.


Things to Know

It is important to note when using the CMMC Academy’s NIST 800-171 tool, an SSP is required or a ZERO score will be reflected. This is consistent with DFARS clause 252-204-7012 where an SSP is required for compliance.

Need help using the tool? Contact us!

Using CMMC Academy’s 800-171 Self-Assessment Tool:

  • To use CMMC Academy’s 800-171 Self-Assessment Tool you simply indicate whether each of the 110 security requirements is either Implemented or Not Implemented in your organization.
  • If all security requirements are implemented, you will receive a score of 110, consistent with the total number of NIST 800-171 security requirements. For each security requirement not implemented, a value of 1, 3 or 5 is subtracted from 110 based on the weighted importance of each specific security requirement.
  • Since the score of 110 is reduced by each requirement not implemented, the final score reflects the net effect of security requirements not yet implemented. You are expected to achieve a score of 110 by the time of contract award.
Prior to responding to the 110 security requirements, please be sure to answer “Yes” or “No” to the 3 CUI Storage related questions and the 5 Configuration questions related to your implementation of the specified security requirements (ie, MFA, FIPs cryptography, remote access, mobile device connections). Responses to the Configuration questions directly impact your score – either 0, 3, or 5 points are subtracted based on your responses to these questions.