How often should I update my NIST800-171 assessment?

Under the NIST SP 800-171 DoD (Department of Defense) guidelines, companies that handle or store Controlled Unclassified Information (CUI) must perform specific cybersecurity assessments. The Federal Government’s Interim Rule, which took effect on November 30, 2020, mandates that organizations subject to the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 must conduct a Basic Assessment of compliance using their System Security Plans (SSPs).

This Basic Assessment involves calculating a score based on the 110 security controls found within NIST SP 800-171. Full compliance with all NIST SP 800-171 controls maintains the maximum score of 110, while points are deducted for each unimplemented or partially-implemented control. After completing this assessment, organizations must enter their scores into the Supplier Performance Risk System (SPRS), along with a commitment date to achieve full compliance.

The crucial aspect of this requirement is the update frequency. All members of the Defense Industrial Base (DIB) subject to DFARS 252.204-7019 and -7020 must update their entries on SPRS at least once every three years. This includes the date of the Basic Assessment, the score, the relevant Commercial and Government Entity (CAGE) codes, and the date by which they expect to achieve the maximum score.

Therefore, a company must reassess its compliance with NIST SP 800-171 and update its SPRS entry at least every three years. This periodic reassessment is crucial to maintaining eligibility for future contracts involving the exchange of CUI and ensuring adherence to the DoD’s cybersecurity requirements.

This information was obtained from the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, dated June 24, 2020, as outlined on the website Acquisition.GOV.

But requirements changed in CMMC 2.0!

Under the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, the frequency of self-assessments for Level 1 (“Foundational”) compliance is annually. This level of compliance does not involve sensitive national security information and is viewed as an opportunity for contractors to develop and strengthen their approach to cybersecurity. The annual self-assessment is intended to identify gaps between a contractor’s current security posture and what is needed to pass the full assessment by a Certified 3rd Party Assessment Organization (C3PAO). This information was obtained from Cuick Trac, a website providing guidance on CMMC self-assessment.

image of CMMC Self-Assessment Guide - Cuick Trac

CMMC Self-Assessment Guide – Cuick Trac


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Verified by MonsterInsights