Introduction

When primes ask about NIST 800-171, DFARS 7012, and CMMC, they generally follow the DoD assessment framework but often make their own adjustments to align with their internal processes. In this blog, we’ll go through specific examples of how primes such as Northrup Grumman and General Dynamics ask about NIST 800-171, DFARS 7012, and CMMC. ‍

A Northrop Grumman Basic Assessment

Here is an example of a basic assessment or questionnaire from Northrop Grumman. When a subcontractor becomes a vendor or starts working with Northrop Grumman, the subcontractor will be sent this questionnaire. Northrop Grumman will ask the subcontractor for their SPRS score and will be required to answer additional questions.

A questionnaire like this, whether on paper or sent electronically through Exostar, serves as notice that the subcontractor has NIST 800-171 or DFARS 7012 requirements in their contract. These questionnaires are only given to subcontractors with contracts that require it as a flow-down requirement.  ‍

A Medium Assessment from General Dynamics  

Here is an example of a medium assessment from General Dynamics. For a Medium assessment, General Dynamics will review a subcontractor’s system security plan to ensure compliance with the NIST 800-171 controls. After reviewing the system security plan, General Dynamics will assess the subcontractor’s ability to handle data securely using a risk-scoring system. Below is an example of the categories that General Dynamics uses for risk scoring.

Red is the highest risk category, indicating that a subcontractor’s IT systems are not compliant at all. As a result, General Dynamics cannot send data to the subcontractor digitally. Instead, General Dynamics will send the data as hard copies via FedEx, UPS, or other trusted carriers. Additionally, because the subcontractor’s IT systems are insecure, General Dynamics will not allow the subcontractor to upload, scan, or store its data.  

If a subcontractor is in the red category, it’s a really bad place to be because General Dynamics is likely looking to replace the subcontractor in its supply chain. Therefore, if General Dynamics is an important customer, it’s crucial for the subcontractor not to be in the red category.

The yellow or amber category indicates a medium risk level. It means that a subcontractor’s IT system has made some progress, but there is still work to be done. General Dynamics can share Controlled Unclassified Information (CUI) through digital encryption but will consistently monitor progress to ensure the subcontractor implements the remaining controls. If a subcontractor does not address the remaining requirements, it might result in losing future work.

Lastly, green indicates complete compliance with a perfect score of 110. This has been verified through the medium assessment, confirming that the subcontractor can now be trusted to handle sensitive data. ‍

A High Assessment Conducted by a Prime

The most detailed assessment that a prime will require is their version of a high assessment. An example of a high assessment is when major primes visit a vendor’s facility with a team of cybersecurity professionals to evaluate their cybersecurity program.

More recently, we’ve seen with our customers that cybersecurity teams are joining supplier quality personnel during vendor quality inspections. While the quality team is occupied with quality inspections, the cybersecurity team is digging into the contractor’s IT systems and validating its system security plan to ensure compliance with contract requirements.

To learn how DoD customer organizations ask about NIST 800-171, DFARS 7012, and CMMC. Check out our latest blog!

If you're experiencing pressure from a prime to comply with NIST 800-171, Atomus can help! Our end-to-end solution provides a unique combination of technology and human support services that can help simplify your compliance journey. To learn more about Atomus, please schedule a meeting with one of our experts today.