NIST– SP 800-171 Basic Assessment & Scoring Services

We Have Your Back.

We get it, your time is best spent on making, selling, and promoting your product. A product that may be sold directly or indirectly to the Department of Defense (DoD). To do business with the DoD you need to meet certain regulations that support the mandate the DoD has to keep the United States secure. Department of Defense Contractors do this through safeguarding information, which is kept digitally. These regulations are set forth in the Cybersecurity Maturity Model Certification (CMMC) V1.02, published March 18,2020.

What does the United States DoD require of you?

There are two types of unclassified information which need to be safeguarded:

• Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release.
• Controlled Unclassified Information (CUI): CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The DoD uses a maturity model to characterize where Defense Industry Base (DIB) contractors are at in their level of Cybersecurity.

There are 3 levels of CMMC (Cybersecurity Maturity Model Certification) possible. Most contractors need to be concerned with Level 1 or Level 2.

Level 1 Applies to Your Company (Comment -Recommend the bullet points in a hover dropdown to limit overwhelming user with info)

• If you only get Federal Contract Information (FCI).
• Federal Contract Information is any information that is not available to the public such as delivery location, installation date, special access codes.
• Any Information that could put the DoD at risk if a hacker received the information.

Level 3 Applies to Your Company (Comment -Recommend the bullet points in a hover dropdown to limit overwhelming user with info)

• If you get or create Controlled Unclassified Information (CUI).
• CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
• It is either created by the government or created for the government.
• CUI categories are defined in the gov site.
• Builds upon existing regulations (DFARS 252.204-7012) for NIST-800-171 requirements.

Services Included

The NIST SP 800-171 document specifies the security requirements you need to meet CMMC Level 1 or CMMC Level 2 Certification. CPI Systems will help you determine what level you need to be.

NIST – SP 800-171 Basic Assessment Services

• DFARS 7012-24.7012 currently mandates all companies within the Defense Industrial Base (DIB) that handle, store, process, or transmit CUI, to provide a current (within 3 years) NIST 800-171 Basic Assessment score.
• CPISYS will guide you through preparing for a NIST-SP 800-171 Assessment.

NIST – SP 800-171 Scoring Services

• Assessment Scoring must be done by an authorized provisional assessor.
• CPISYS works within a small ecosystem of provisional assessors and will facilitate the scoring process when you are ready.