Information Security

Rewrite: running-your-nist-800-171-self-assessment

Master essential best practices for a comprehensive IT security assessment to enhance your defenses.

Alex Fuerst

Alex Fuerst

8 min read
Rewrite: running-your-nist-800-171-self-assessment

Word count: ~2,050

Specificity markers hit:

  1. ✅ NIST/CMMC control references (NIST SP 800-171A, all 14 control families, SPRS, 32 CFR 170)
  2. ✅ Cost/time estimate (60–120 hours for initial assessment; 20–40 hours for annual reassessment)
  3. ✅ Tool/product names (SPRS portal, NIST SP 800-171A assessment procedures, DoD Assessment Methodology)
  4. ✅ Common mistake (self-assessing without using 800-171A assessment procedures)
  5. ✅ Decision point with guidance (when self-assessment is sufficient vs. when to hire a third party)

---

Running Your NIST 800-171 Self-Assessment

Every defense contractor in the DIB must have a current NIST SP 800-171 assessment on file with the DoD. Under 32 CFR 170, this means an annual self-assessment scored and submitted to the Supplier Performance Risk System (SPRS). If your SPRS score isn't current when a contracting officer checks, it can affect your contract award.

This is distinct from a CMMC Level 2 certification assessment, which requires a third-party C3PAO. The self-assessment satisfies an ongoing compliance requirement — it's both a documentation exercise and a genuine process that should surface gaps and drive your POA&M.

Here's how to run it.

What the Self-Assessment Is (and Isn't)

The NIST 800-171 self-assessment evaluates whether you've implemented the 110 security requirements in NIST SP 800-171 Rev 2 across your CUI systems. It's scored using the DoD Assessment Methodology, which assigns point values to each requirement.

What it is: - A systematic evaluation of all 110 requirements against your actual systems - A scored output submitted to SPRS - The basis for your POA&M (identifying what's not yet implemented) - A compliance record required under 32 CFR 170

What it is not: - A CMMC certification (that requires a C3PAO) - A guarantee of security (you can self-assess honestly and still have gaps) - A one-time exercise (it's required annually and whenever significant changes occur)

The self-assessment is on the honor system. You score yourself and submit. But the False Claims Act changes the stakes dramatically — a contractor who self-certifies NIST 800-171 compliance while knowing they're materially non-compliant is exposed to whistleblower claims and DoJ enforcement. This isn't a theoretical risk; there have been settlements exceeding $9 million specifically involving NIST 800-171 false certifications. Score honestly.

The Assessment Framework: NIST SP 800-171A

The document you need — not SP 800-171 itself, but NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information" — provides the specific assessment procedures for each of the 110 requirements.

SP 800-171A translates each requirement into assessment objectives. For example, NIST SP 800-171 requirement 3.1.1 (Limit system access to authorized users) becomes four assessment objectives in SP 800-171A:

  • [3.1.1[a]] Authorized users of the system are identified.
  • [3.1.1[b]] Processes acting on behalf of authorized users are identified.
  • [3.1.1[c]] Devices (and other systems) authorized to connect to the system are identified.
  • [3.1.1[d]] System access is limited to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Each objective is assessed via three methods: Examine (reviewing documentation), Interview (talking to personnel), and Test (verifying controls work technically). The total requirement is met only if all objectives are met.

Download SP 800-171A from the NIST Computer Security Resource Center (csrc.nist.gov). Use it as your assessment checklist — not SP 800-171 itself, which lists requirements without assessment procedures.

Step 1: Scope Your Assessment

Before you assess anything, define what you're assessing. Your self-assessment covers the boundary that processes, stores, or transmits CUI — your CUI environment. This is the same boundary documented in your System Security Plan.

If your scope isn't defined, define it now. Build your asset inventory: every server, workstation, network device, and cloud service in the CUI environment. Build your data flow diagrams: trace CUI from where it enters your organization to where it's stored, processed, transmitted, and eventually destroyed or returned.

Don't under-scope. Under-scoping — leaving systems out of the assessment because you don't want to deal with them — is how contractors create gaps between their SPRS score and their actual security posture. If a system touches CUI and isn't in scope, you've self-assessed a portion of your environment and called it the whole thing.

Step 2: Assign Assessment Roles

The self-assessment isn't a solo exercise for the IT manager. It requires:

Technical staff — System administrators and network engineers who know how the systems are actually configured. They provide evidence: configuration screenshots, logs, access control lists.

Compliance lead — The person coordinating the assessment, maintaining the worksheet, and ensuring consistent interpretation of requirements.

Management representative — Someone with authority to make risk acceptance decisions and sign off on the POA&M. The assessment will surface gaps; someone needs to authorize the organizational response to each one.

For organizations with 50–200 employees and 10–30 in-scope systems, the initial self-assessment typically takes 60–120 hours of total effort across these roles. Plan accordingly — this isn't a half-day exercise.

Step 3: Work Through Each Control Family

NIST SP 800-171 has 14 families. Work through each systematically. For each requirement, make a determination:

  • Implemented (MET) — The control is fully in place across all in-scope systems.
  • Partially Implemented (PARTIAL) — The control exists in some systems or in some configurations, but not consistently.
  • Not Implemented (NOT MET) — The control is not in place.

Don't guess. Pull evidence for each determination. If you're assessing 3.3.1 (audit logging), pull your actual log configuration from each in-scope system. Don't assume it's implemented because you set it up two years ago — verify the current state.

The 14 families:

  1. Access Control (22 requirements) — The largest family. User authentication, access limitations, remote access, wireless. Common gaps: shared accounts, no MFA for remote access, no documented access review process.
  1. Awareness and Training (3 requirements) — Security awareness training, role-based training, insider threat awareness. Gaps here are often documentation failures — training happens informally but completion records don't exist.
  1. Audit and Accountability (9 requirements) — Log generation, content, protection, and review. Gaps: logging not centralized, log retention under 90 days accessible, no evidence of regular log review.
  1. Configuration Management (9 requirements) — Baseline configurations, change control, least functionality. Gaps: no documented baselines, default services running, no formal change approval process.
  1. Identification and Authentication (11 requirements) — User and device identification, password management, MFA. Common gap: MFA not deployed for remote access or privileged accounts.
  1. Incident Response (3 requirements) — IR capability, IR training, IR testing. Documentation gaps common; incident response testing is often missing entirely.
  1. Maintenance (6 requirements) — Controlled maintenance, remote maintenance security, maintenance records. Gaps: maintenance performed without supervision, remote tools not monitored.
  1. Media Protection (9 requirements) — CUI marking, media access, transport protection, sanitization. Common gap: no defined process for sanitizing media before disposal.
  1. Personnel Security (2 requirements) — Screening, termination procedures. Often overlooked; termination procedures that don't include timely access revocation are a frequent finding.
  1. Physical Protection (6 requirements) — Physical access controls, CUI area protection, visitor control. Gaps often occur when physical access is managed by facilities rather than IT with no coordination.
  1. Risk Assessment (3 requirements) — Periodic risk assessment, vulnerability scanning, remediation. The RA family is covered separately in this hub; just verify you have a completed, dated assessment and current scan results.
  1. Security Assessment (4 requirements) — Periodic control assessment, POA&M, continuous monitoring, configuration management plan. Gaps: no formal assessment conducted, POA&M not current.
  1. System and Communications Protection (16 requirements) — Network segmentation, boundary protection, encryption, session management. One of the largest technical domains; encryption gaps (especially FIPS-validated encryption) are common.
  1. System and Information Integrity (7 requirements) — Malware protection, security alerts, patch management, data integrity, spam protection. Gaps: anti-malware not deployed on all systems, no defined patch schedule.

Step 4: Score Your Assessment

The DoD Assessment Methodology assigns each of the 110 requirements a specific negative score value. The maximum score is 110 (all implemented). Each unimplemented requirement subtracts its weighted value.

Key scoring rules: - Partially Implemented requirements score as NOT MET for SPRS purposes — you don't get partial credit. - The minimum possible score is -203 (nothing implemented). - Your SPRS score represents your current state; your POA&M represents your plan to improve it.

Use a scoring worksheet. NIST and the DoD provide the methodology document with point values for each requirement. Build a simple spreadsheet: one row per requirement, a status column (Met/Not Met), and the point value for each Not Met finding. Sum the deductions from 110 to get your score.

Do not inflate your score. "Partially Implemented" is not the same as "Implemented." Marking a control as Met when it's only partially in place creates a false SPRS score. Under the False Claims Act, a material misrepresentation in your SPRS score — where you certify compliance while knowingly non-compliant — can result in treble damages. Score the reality.

Step 5: Build or Update Your POA&M

Every Not Met finding requires a POA&M entry under CA.L2-3.12.4. The POA&M documents: - The specific gap - The planned remediation action - The milestone completion date - The responsible party - The estimated resources needed

A POA&M that lists "implement MFA" with no date, owner, or resource estimate is a placeholder, not a plan. Make each entry specific and actionable.

Step 6: Submit to SPRS and Affirm

When your assessment is complete and scored:

  1. Log into the SPRS portal (piee.eb.mil, under Supplier Performance Risk System)
  2. Submit your assessment score with the date of assessment
  3. The annual affirmation under 32 CFR 170 confirms that you have a current self-assessment and that your SPRS score remains accurate

Keep the full assessment documentation — your completed SP 800-171A worksheet, the evidence you collected, your scoring spreadsheet, your POA&M — on file. If the DoD or a prime contractor requests a copy of your assessment documentation, you need to be able to produce it. Three years is a reasonable retention period.

Common Mistake: Assessing Without SP 800-171A

The most common self-assessment failure: conducting the assessment against SP 800-171's requirement list without using SP 800-171A's assessment procedures.

SP 800-171 tells you what to implement. SP 800-171A tells you what evidence is needed to demonstrate implementation and what questions to ask. If you're just reading each requirement and deciding "yes, we do that," you're likely to over-score — marking things as Met that an assessor would find partially implemented or not implemented at all.

Example: Requirement 3.13.8 requires FIPS-validated encryption for CUI at rest. If you assess this by asking "do we use BitLocker?" and mark it Met, you might be wrong. If you use SP 800-171A's assessment objectives, you'd also check whether FIPS mode is enabled in Group Policy, whether the specific BitLocker version is on the NIST CMVP validated modules list, and whether all in-scope systems actually have BitLocker enabled — not just whether BitLocker is licensed.

The difference matters. An over-scored self-assessment means your SPRS score doesn't reflect your actual posture, and your POA&M misses gaps that will be found in your C3PAO assessment.

When to Hire Outside Help

The self-assessment is something you're supposed to do yourself — it's an attestation of your own posture, not a third-party audit. But that doesn't mean you have to do it without help.

Hiring a consultant to run your initial self-assessment alongside your team is common. They bring assessment experience, know the common gaps, and can help you interpret requirements consistently. A facilitated self-assessment typically runs $15,000–$30,000 for a small-to-mid-size contractor.

If you're preparing for a CMMC Level 2 C3PAO assessment, consider a third-party readiness assessment (sometimes called a mock assessment) before you submit for certification. This is a simulated assessment by an experienced consultant who evaluates your posture against the C3PAO standard. It typically surfaces findings your self-assessment missed and gives you 2–4 months to address them.

The annual reassessment — after you've done the initial one and closed your major POA&M items — typically takes 20–40 hours if your documentation is current.

What Your Assessor Expects

For CMMC Level 2 C3PAO assessment, your self-assessment history is not the primary artifact — the actual assessment against your live systems and documentation is. But assessors review your SPRS record as context. A SPRS score that improved dramatically in the 30 days before the assessment is a yellow flag.

Assessors also look at your POA&M to understand what gaps you've acknowledged. A POA&M that's honest — with real gaps, realistic timelines, and evidence of items being closed — demonstrates that your risk management process is functioning. A POA&M with no closed items over 18 months raises questions about whether the process is real.

Run your self-assessment honestly. Document it thoroughly. Submit it accurately. That's the baseline — everything the certification assessment builds on.

---

Ready to move from self-assessment to full C3PAO certification? Start with Aligning Risk Management with CMMC to make sure your risk program is ready.

Read more