You can begin the assessment by navigating to the NIST 171r2 framework from the Compliance Dashboard.
Each NIST control can then be scored. Not Implemented and Partially Implemented will result in score deductions.
If your organization is pursuing CMMC compliance (or is already compliant), submitting scores to the SPRS system annually is mandatory for maintaining compliance.
The Self Assessment feature within Strike Graph aligns with the SPRS scoring rubric outlined in the NIST Assessment Scoring Methodology document. SPRS scores are calculated by starting at 110 points. Each NIST 800-171 control is then scored based on whether the NIST requirement has been fully implemented. Each NIST control is worth either 5, 3, or 1 points, and partial credit for partial implementation is not granted (with the exception of two requirements, outlined in the table below).
If a NIST requirement is fully implemented, 0 points are deducted from the 110 starting value. If a requirement is not implemented or partially implemented, the value of that control is subtracted from the 110 starting value.
If a firm has fully implemented all NIST 171r2 requirements, its score will remain at 110, which is a "perfect" score. A score of 110 is ideal for CMMC certification, but conditional certification is possible with scores as low as 88, as long as suitable POAMs are documented.
Requirement | Score | Note |
3.5.3 Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to nonprivileged accounts | 3 to 5 | Subtract 5 points if MFA is not implemented. Subtract 3 points if MFA is implemented for remote and privileged users, but not the general user |
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. | 110 | The absence of a system security plan would result in a finding that βan assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.β
In scoring terms, not having an SSP is an automatic fail, so scoring this control as Not Applicable, Partially Implemented, or Not Implemented results in a 110-point deduction. |
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI | 3 to 5 | Subtract 5 points if no cryptography is employed; subtract 3 points if employed cryptography is mostly not FIPS validated |