For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.
Today’s read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s February 2022 Air & Atmosphere Furnace Systems print edition.
Introduction
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™
Do you have plans to perform your NIST SP 800-171 self-assessment, but need more clarity about what’s involved? DFARS 252.204-7012 and the DFARS Interim Rule, including DFARS 252.204-7019, state that all DoD contractors in the Defense Industrial Base (DIB) that process, store, and/or transmit CUI (Controlled Unclassified Information) and want to be eligible for any contract award must complete a self-assessment (or basic assessment) using the DoD’s NIST SP 800-171 Assessment Methodology and generate a points-based score. This score will then be uploaded into the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.
Identifying and Defining Your Organization’s CUI
Your NIST 800-171 basic self-assessment should start by identifying CUI sources and flows and mapping them within your organization’s IT systems. Organizations need to understand that CUI is an information category that includes Covered Defense Information (CDI) and Controlled Technical Information (CTI).
Define the Scope of the Self-Assessment
When finished identifying all CUI, you’re ready to scope the environment. To scope the environment correctly, first, determine what systems, applications, and business procedures that process, store, or transmit CUI. Second, define details of how data moves through your network.
NIST 800-171 Self-Assessment Procedure
You can find the self-assessment procedure for all compliance requirements in NIST SP 800-171A. Basically, a self-assessment is performed evaluating all 320 assessment/control objectives. Assessment/control objectives include the determination statements related to a particular security requirement. The 320 assessment/control objectives are divided among 110 separate controls which are included in 14 different control families.
Self-assessment methods include:
- Examining: reviewing, inspecting, observing, or analyzing assessment objects
- Interviewing: discussing with individuals to facilitate understanding, clarification, or gather evidence
- Testing: confirming that assessment objects under specified conditions are met
Organizations are not expected to use all assessment methods and objects in NIST 800-171A. Instead, they have the freedom to determine which methods and objects are best for them to get the desired results.
Must Have a System Security Plan (SSP)
One of the most important requirements for a successful self-assessment is having a System Security Plan (SSP). Not having an SSP is a definite obstacle.
The SSP describes the system boundaries, how the IT system operates, how the security requirements are implemented, and the relationships with, or connections to other systems. It also includes information on security requirements.
Plan of Action & Milestones (POA&M)
To best protect CUI, organizations need to implement the CUI security requirements to the fullest extent possible. But, when some of the requirements are not completely implemented, a POA&M must be generated. The POA&M includes the tasks needed to resolve deficiencies, along with the resources and timelines required.
The purpose of the POA&M is to identify, assess, prioritize, and monitor the progress of corrective actions, allowing the organization to achieve the desired assessment score.
Next month we will discuss: “Submitting Your Basic Self-Assessment Score(s) To The SPRS.”
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.
