DoD has a requirement to collect information from offerors and contractors regarding the status of their implementation of implement the 110 system security requirements identified in the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 on their information systems that process controlled unclassified information (CUI). This information is being collected through either a contractor’s submission of a Basic self-assessment in DoD’s Supplier Performance Risk System, or a Medium or High assessment of contractors conducted by DoD assessors. Results of a NIST SP 800-171 DoD Assessment reflect the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor.
The latest form for Assessing Contractor Implementation of Cybersecurity Requirements expires 2021-04-30 and can be found here.
Supporting Statement A
Federal Enterprise Architecture: Defense and National Security - Operational Defense