NIST 800 171 Compliance: Is it really possible to have a Negative NIST 800-171 Score? (Self-Assessment) Yes, unfortunately it is very likely for a company that hasn’t planned for and implemented DoD cybersecurity into their systems.
How is the assessment score calculated?
Points are deducted from the perfect score of 110. Each of the 110 controls or practices has a weighted score associated with it. The weighted score of each unimplemented practice is deducted from the score of 110.
How do you get a NIST 800 171 negative score?
- There are 44 practices with a weighted score of 5
- 14 practices with a weighted score of 3
- and 51 practices with a weighted score of 1
- (One practice is not applicable – 3.12.4
So , if you have not implemented 22 practices with a weighted score of 5 points, you’re already down to 0 points. With a few more unimplemented practices, you end up with a negative score.
What’s the impact of your NIST 800 171 Negative Score? And what should you do if you have a negative score?
If you have submitted your score to the SPRS (even if it’s negative) and you have an active system security plan (SSP) with a plan of action and milestones (POA&M), AND you’ve provided an estimated date of when you will achieve a perfect score of 110, you’re now in compliance with DFARS 252.204-7020 and their requirements for NIST 800 171 submission. BUT REMEMBER, contract officers will look at your score as an evaluation criterion for new contracts. So, hire good hands on consultants and engineers to help you remediate compliance gaps as soon as possible.
And you should consider Managed Service Providers as an option because they might be able to help you remediate some compliance gaps very quickly
Prioritize your plan to remediate compliance gaps into 3 categories
- Category One: Compliance gaps you can remediate within 1 month
- Two: Compliance gaps you can remediate within 1 to 3 months
- Three: Compliance gaps you can remediate within 4 to 6 months
Note: Assumes you’ve specified a 6 month POA&M period
Work on the “low hanging fruit” first: Your Category One compliance gaps with the weighted score of 5 that are easiest for you to remediate quickly. And update your score with the DoD SPRS when you have significant improvement. This will demonstrate your progress and current compliance level.
My name is Kyle Lai, President and Chief Information Security Officer at KLC Consulting. Please contact us if you have any questions or need any help with NIST 800 171 or CMMC.