Hello and welcome to the NIST 800-171 learning path. My name is Dave Hat your instructor for this course and this is Course 6. NIST 800-171 and CMMC levels 1 and 2. In this video, we're going to take a look at the DoD assessment methodology, which is currently in Version 1.2.1. From that documentation, it says that the NIST SP 800-171 DoD assessment methodology Version 1.2.1 documents a standard methodology that enables a strategic assessment of a contractor's implementation of NIST special publication 800-171, a requirement for compliance with DFARS Clause 252.204-7012 and DoD, we use this assessment methodology to assess the implementation of 800-171 by its prime contractors. Prime contractors may use this methodology to assess the implementation status of 800-171 by subcontractors. Let's talk about basic assessment. Again, this is a contract or self-assessment, and it says a basic assessment is the contractor self-assessment of NIST 800-171 implementation status based on a review of the system security plans, SSP is associated with a covered contract or information systems. The basic assessment results in a confidence level of low because it's a self-generated score. Again, you're doing this assessment yourself. The summary level scores resulting from basic in NIST 800-171 assessments should be documented as indicated in Section 6 and Annex B of that documentation. Again, which is the assessment methodology Version 1.2.1 I'll have a link to that later. Let's talk about basic assessment scoring. It's 110-point scale, again, aligns directly with 800-171. Each requirement for 171 is assigned a weighted subtracted value. The satisfied requirements are in points. Partially satisfied requirements may in a fraction of points, although most requirements are an all-or-nothing proposition, there's only a few that allow fractional points. Unsatisfied requirements may get points subtracted. It's possible to earn a negative score. That's definitely something we've seen from out in the field, junction with this next one, these are important to keep in mind while the default's interim rule requires the submission of a score does not require a specific score. Bottom line is, if you have a contract that requires you to submit a score or you have a prime that requires you to submit a score, it's important to go ahead and do it even if the score is low or negative, because as it says, you don't have to have a specific score, but you may be required to get a score submitted. Go ahead and get that done even if it's low or negative, and then you may need multiple assessments depending on organizational size and number of contexts. The different breakdown of items, so you could be compliant for a requirement and you would just include a statement in the SSP with evidence and artifacts, you could be non-compliant, pretty self-explanatory. You'd want to add that to your poem with plans to satisfy the requirement. You could say partially compliant, but again, most don't allow you to get fractional points for that, and you would need to put that both in the system security plan and the poem. You could say an item is not applicable, for example, you don't have Wi-Fi and you'd need to explain why it's not applicable to your environment, or you could say, I've taken an alternative approach and then you would need to explain what the alternative approach is and why it's equally effective to the suggested approach. As you can see here also from the documentation, some items that hopefully help drive this home. A wrap them in scoring methodology. Scoring methodology is designed to provide an objective assessment of a contractor's implementation status for 800-171, with the exception of requirements which the scoring of partial implementation is built-in ET multi-factor authentication, which is requirement 3.5.3. The methodology is not designed to credit partial implementation. Again, most or all or nothing, you get all the points or you subtract the points. Conduct of the NIST 800-171 assessment will result in a score reflecting the net effect of security requirements not yet implemented. If all security requirements to implement the contractor is awarded the score of 110 consistent with the total number of 800-171 security requirements. For each security requirement not met, the associated value is subtracted from 110. The score of 110 is reduced by each requirement not implemented, which may result in a negative score. While 800-171 does not prioritize security requirements, certain requirements have more impact on the security of the network and its data than others. The scoring methodology incorporates this concept by weighting each requirement based on the impact to the system, and the DoD CY created or transiting through that system when the requirement is not implemented and weighted requirements include all the fundamental 800-171 basic security requirements. These are high-level requirements which have not implemented render ineffective. The more numerous derive security requirements, and a subset of the derived security requirements that supplement the basic security requirements which have not implemented would allow for exploitation of the network and its information. Then they say, to derive security requirements can be partially effective, even if not completely or properly implemented. The points deducted should be adjusted depending on how the security requirements implements. Again, these are some that support the partial scoring. First, multi-factor authentication, which is security requirement 353, typically implemented first for remote and privileged users, since they are both limited in number and more critical. Then for the general users, three points are subtracted from the score if MFA is only for remote or privileged users, and five points are subtracted if MFA is not implemented for any users. Then FIPS validated encryption, which is security requirement 3.13.11 is required to protect the confidentiality of CUI. If encryption is employed but not FIPS validated, three points are subtracted from the score of 110. If encryption is not employed, five points are subtracted. Then Item G, the contractor must have a system security plan. Again, system security plan is a requirement to basic security requirement 3.12.4 in place to describe each covered contractor information system, and you must have a plan of action to milestones or poem, which is also a basic security requirement, 3.12.2 in place for each unimplemented security requirements that describe how and when the requirement will be met. This is a screenshot of a little tool we put together just to make it easy to create a score, and you can see in this example here, you can see that what is the assessment method. What is the value? How many points are available? What is the score you earned? Just a simple little tool to show how you might go about doing this, and then the next screenshot also shows a roll-up of that and the different items from NIST 800-171. That about does it for this video, so you can see here's a link to the latest assessment methodology, which is Version 1.2.1. With that, thanks for watching this video and we will see you in the next video.
