The NIST 800 Special Publication 171 is an assessment used to make you, the federal contractor, aware of necessary safeguards for information the US Public expects you to protect. Federal protected information can have a variety of labels, all of which you can research with your Facility Security Officer (FSO). The minimum control label is CUI - Controlled Unclassified Information. Anything that is labeled CUI or above must be protected according to the NIST-800 (Risk Management Framework) guidelines.
If you are going to be participating in any US DoD contracts, whether direct or through a team, you must complete your self-assessment and upload the result to the Procurement Integrated Enterprise Environment (PIEE).
DFARS provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires, among other things, offerors to represent they will implement the security requirements in NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. To document implementation of NIST SP 800-171, the contractor must develop, document, and periodically update a system security plan that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. If implementation of the security requirements is not complete, companies must develop and implement plans of action to describe when and how any unimplemented security requirements will be met.
The first step in creating a security plan is assessing your posture. What controls do you have in place to protect your own data? How do you manage personnel who will have privileged access to your data? What are you policies and procedures to retire access to data when personnel change? Once you determine these controls and procedures, then you assess how they apply to data from the US federal government that is labeled CUI (or above). Running through the asseesment provided by GoNist800 will help you understand the requirements for protecting this important information.
There are 3 levels of assessment according to NIST 800-171r3 and 800-53r5:
Your security posture is more than just a number. The NIST 800-171 assessment score starts at 110 points. Each inquiry that is not implemented will result in a deduction of this score. The final score is the result that is uploaded to the PIEE site for review. It is easy to defraud the DoD by uploading a score of 110 without running throug the assessment. This could get your barred from federal contracting, so assess your security truthfully and implement the necessary changes to your P&P so that you can get a score of 110 and continue on your federal contracting journey.
Remember, US federal government provided information is privileged information provided to you by the citizens of the United States of America. They expect you to protect it as vital to the security of their interests, both domestic and foreign. If you need help with securing your CUI then you can march over to Beyond Ordinary's CUI Vauilt tool and purchase a license today. That will help you get ahold of implementing the most basic protections against CUI leakage.