Basic Assessment & Scoring Services

Has your DoD Contracting Officer or Prime client asked you for your NIST 800-171 Assessment score? We Have Your Back.We get it, your time is best spent on making, selling, and promoting your product; a product that may be sold directly or indirectly to the Department of Defense (DoD). To do business with the DoD you need to meet certain regulations that support the mandate the DoD has to keep the United States secure. Department of Defense Contractors do this through safeguarding information, which is kept digitally or physically. These regulations are set forth in the Cybersecurity Maturity Model Certification (CMMC) V1.02, published March 18, 2020.

What does the United States DoD require of you?

There are two types of unclassified information which need to be safeguarded:

  • Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release.
  • Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The DoD uses a maturity model to characterize where Defense Industry Base (DIB)contractors are at in their level of Cybersecurity.

There are 5 levels of CMMC (Cybersecurity Maturity Model Certification) possible. Most contractors need to be concerned with Level 1 or Level 3 as Level 2 indicates a transition stage from 1 to 3.

Level 1 Applies to Your Company

  • If you only get Federal Contract Information (FCI).
  • Federal Contract Information is any information that is not available to the public such as delivery location, installation date, special access codes.
  • Any Information that could put the DoD at risk if a hacker received the information.

Level 3 Applies to Your Company

  • If you get or create Controlled Unclassified Information (CUI)
  • CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended
  • It is either created by the government or created for the government.
  • CUI categories are defined in the Archives.govsite.
  • Builds upon existing regulations (DFARS 252.204-7012) for NIST-800-171 requirements.

These Levels include Domains, Processes, Capabilities, and Practices in the below framework:

Services Included

The NIST SP 800-171 document specifies the security requirements you need to meet CMMC Level 1 or CMMC Level 3 Certification. CPI Systems will help you determine what level you need to be.

NIST SP 800-171 Basic Assessment Services

  • DFARS 7012-24.7012 currently mandates all companies within the Defense Industrial Base (DIB) that handle, store, process, or transmit(CUI), to provide a current (within 3 years) NIST 800-171 Basic Assessment score.
  • CPISYS will guide you through preparing for aNIST-SP 800-171 Assessment.

NIST SP 800-171 Scoring Services

  • Assessment Scoring must be done by an authorized provisional assessor.
  • CPISYS works within a small ecosystem of provisional assessors and will facilitate the scoring process when you are ready.

NIST SP 800-171 Basic Assessment Services

  • DFARS 7012-24.7012 currently mandates all companies within the Defense Industrial Base (DIB) that handle, store, process, or transmit (CUI), to provide a current (within 3 years) NIST 800-171 Basic Assessment score.
  • CPISYS will guide you through preparing for a NIST-SP 800-171 Assessment.
  • Our 3rd Party Assessment & Score are facilitated over 4-5 hours, with a CMMC Registered Practitioner (RP) or Provisional Assessor (PA).
  • You will satisfy current requirements for DFARS 252.204-7012.
  • Includes Gap Analysis and Plan of Action & Milestones (POA&M), and administrative & technical resources for next steps
  • And your initial System Security Plan (SSP) including:

  • Data Flows

  • Network Diagram

  • HW/SW Inventory

  • 3rd Party Inherited/Shared Controls

  • Detailed Gap analysis and Plan

  • Customized resources for next steps

  • This is your springboard for CMMC total compliance

Contact Us About Your NIST/CMMC Needs