In our last article, we examined some of the various ways in which your organization and subcontractors can conduct an assessment in order to gauge what the status of your existing controls are, and in what areas they need to be improved upon.  This is all part of the effort to become compliant with the CMMC, no matter what Maturity Level you are attempting to get certification in.

What Is Scoring?

It is important to note that once the assessment has been completed, the next step is to compute a score to reflect the results of what you have examined.  The NIST Special Publication (SP) 800-171 provides a detailed overview as to how a defense contractor should score themselves.  In this article, we provide some of the highlights.

The basic premise of this methodology is to show the DoD at what particular level, on a quantitative basis, you stand with your initial assessment.  One of the key things to remember is that you cannot score yourself on just a partial assessment, it must be a complete one, all the way through.

If all of the controls in your organization have a satisfactory level of implementation, the maximum score that you can receive is a 110.  The only exception where a partial assessment is allowed is if a particular control or group of controls is making use of Multi Factor Authentication (MFA).

However, if there are gaps or vulnerabilities that need to be remediated, then your score will obviously go down.  In fact, if your security posture is very weak, it is quite possible that you may even receive a negative score.

The maximum negative score that you can receive is a -203.While the guidelines do not prioritize which control is higher than another (in other words, all controls are viewed equally), some of them will have what is known as a weighted score.

This weighted score approach merely reflects which controls in your organization play an important role in the CUI and FCI datasets that the DoD is entrusting your company with.  These statistical weights are dependent upon the following:

  • The Basic Security Controls:
    These are the high-level controls that will provide just the required amount of protection to safeguard the CUI and FCI datasets.
  • The Derived Security Controls:
    These are the more granular level of controls that provide far greater protection to the FCI and CUI datasets than when compared to the basic ones.  It is important to note that these controls will receive a much higher statistical weight, because they are deemed to be more critical in assuring the DoD that your business has a relatively strong security posture.  There are also various subsets of these kinds of controls which are also closely scrutinized.  Also, these controls are deemed critical in the sense that if they are exploited by a Cyberattacker, it could lead to a higher rate of data exfiltration.

The scoring system for each control that you have in place ranges from a numerical score of 1-5.  How a particular value is assigned is largely dependent upon that control’s level of significance to the overall protection status of the FCI and CUI datasets.  Of course, those controls that fall under the derived set (as just reviewed) will have a much greater impact on the overall score, since they are statistically weighted.

After you have finished assigning the individual scores, you then need to compute the composite score.  If this falls below the 110 threshold, you must compile and submit to the DoD what is known as a “Plan of Action and Milestones”, or “POA&M” document.  This describes the specific steps that you will take to remediate any gaps or vulnerabilities that were discovered in the controls, so that your organization can achieve that needed score of 110.

You do not have to wait to submit this document once all of the suspect controls have been rectified, rather you can also submit to the DoD, on a real time basis, the newer scores as they have been updated.  More specific details on this scoring system can be seen in the NIST SP 800-171 Assessment Methodology Version on pages 5-10.  This particular document can be accessed here.

What Is The SPRS?

This is an acronym that stands for the “Supplier Performance Risk System”.  This is a special score where those contractors that deal exclusively with the DoD for bidding on contracts can submit their overall score.  Much more detailed information and free guides are available here.

Further Steps

Remember to use the tools from FutureFeed to help you in assessing and keeping track of your score.  Also, contact us if need you further help with this or have questions.

Finally don’t forget to register for the very special CMMC Symposium on October 28th.  You can register here.