FEATURE ADVANCED MATERIALS & PROCESSES | MAY/JUNE 2023 57 NIST 800-171 outlines security standards for non- federal organizations that transmit, process, or store CUI as part of their working relationships with federal agencies. It also outlines five core cybersecurity areas: identify, protect, detect, respond, and recover (Fig. 3). These core areas serve as a framework for developing an infor- mation security program that protects CUI and mitigates cyber risks. NIST 800-171 consists of 110 separate security controls corresponding to 14 different control families. Within the 110 security controls, there are 320 control or assessment objectives that must be met to be considered compliant. NIST 800-171 is a contractual requirement to protect and safeguard CUI for the DOD, the General Services Administration (GSA), and/or NASA. NIST 800-171 SELF-ASSESSMENT Scores for the NIST 800-171 self-assessment are based on a 110-point scale. Each of the 110 controls is assigned a weighted subtractor value of either 1, 3, or 5 points. Every control implemented earns that number of points. For every control not implemented, those points are subtracted from the 110 points. Scores range from between -203 to a maximum of 110. The first self- assessment score will most likely not be a perfect score of 110 points and could very well be a negative number. Submitting a perfect score of 110 on the first basic assessment to the supplier performance risk system (SPRS) could be viewed as a red flag. Keep in mind the following tips: Make sure scores are not inflated. This is serious business. Be 100% truthful with the score and have the evidence to back it up. In the recent past, companies that self-attested and submitted a perfect score of 110 to the SPRS ended up losing several existing major contracts from a large DOD contractor because they submitted an inflated score. They are also not being considered for future contracts until this is corrected and they provide evidence and accurate documentation of their compliance. Remember, a company can be audited at any time by the DOD or by a customer, who may or may not be a prime contractor for the DOD. Misrepresentation of compliance to the government is a violation of the False Claims Act[5] and may result in penalties including loss of contracts, loss of ability to bid on future contracts, fines, or criminal charges. CMMC 2.0 The Cybersecurity Maturity Model Certification (CMMC) program is aligned with the DOD’s information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce the protection of sensitive unclassified information that is shared by the department with its contractors and subcontractors. The program provides the department with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information. The CMMC 2.0 program has three key features: • Tiered model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forth the process for requiring the protection of information that is flowed down to subcontractors. • Assessment requirement: CMMC assessments allow the department to verify the implementation of clear cybersecurity standards. • Implementation through contracts: After CMMC is fully implemented, certain DOD contractors that handle sensitive unclassified DOD information will be required to achieve a particular CMMC level as a condition of contract award. CONCLUSION It is highly recommended to retain the help of a qualified DFARS/NIST 800-171 consultant or a CMMC Registered Practitioner as a guide through this complicated process. NIST 800-171 compliance helps protect against malware, ransomware, and other cyber threats, and helps avoid the extreme costs associated with security risks (a successful hack). Compliance mitigates the impact of lost or compromised data, secures sensitive information, helps maintain a trustworthy reputation with customers, and helps to avoid the ensuing legal trouble that comes after a cybersecurity breach. ~HTPro Fig. 3 — NIST 800-171 outlines five core cybersecurity areas: identify, protect, detect, respond, and recover. 8