Home Resources Self-Assessment Guide
Practical Guide · NIST SP 800-171 Rev 2

How to Conduct a Self-Assessment

A step-by-step methodology for scoring your organization against all 110 NIST SP 800-171 Rev 2 requirements — from scoping your environment to calculating your SPRS score and documenting findings in a POA&M.

Overview & Purpose

Estimated reading time: 15 minutes

A self-assessment against NIST SP 800-171 Rev 2 is the foundational exercise of CMMC Level 2 compliance. It produces three outputs that every DIB contractor needs: a scored assessment result, a calculated SPRS score for submission to the DoD, and a documented POA&M capturing gaps and remediation plans.

Conducting a thorough self-assessment before engaging a C3PAO serves two purposes. First, it gives you an accurate picture of where you stand — which controls are fully implemented, which are partial, and which are missing entirely. Second, it lets you remediate knowable gaps before an assessor finds them, which directly affects your certification outcome.

Scope of this guide: This guide covers the NIST SP 800-171 Rev 2 self-assessment applicable to CMMC Level 2. The DoD Assessment Methodology described here aligns with the NIST SP 800-171 DoD Assessment Methodology v1.2.1, which governs how scores are calculated and submitted to SPRS.

Self-assessment does not replace C3PAO certification for contractors handling prioritized CUI. If your contracts involve C3PAO-required programs, this process is a preparation step — not the final assessment. For contractors eligible for annual self-attestation, this is the official assessment process.

Reference NIST SP 800-171 DoD Assessment Methodology v1.2.1

The DoD Assessment Methodology (DAM) is the authoritative scoring guide for NIST SP 800-171 assessments submitted to SPRS. It defines three confidence levels — Basic, Medium, and High — and specifies how each requirement must be evaluated and scored. The methodology assigns a point value to each of the 110 requirements (either 1, 3, or 5 points, totaling 110 points) and specifies how partial implementation affects scoring.

Download it directly from the DoD CIO: NIST SP 800-171 DoD Assessment Methodology v1.2.1 (PDF). Read this document before beginning your assessment.

Step 1 — Scoping Your Assessment

Before you can assess a single control, you must define exactly what you are assessing. Scoping is the most consequential step in the self-assessment process. An overly broad scope wastes effort; an overly narrow scope creates false confidence and risk of false attestation.

Define Your CUI Boundary

The assessment scope is your CUI enclave — the set of systems, applications, people, and processes that store, process, or transmit Controlled Unclassified Information. Start by answering these questions:

Scoping questions to answer in writing

  • Which contracts require CMMC Level 2? List the contract numbers and associated DFARS clauses.
  • What types of CUI do you receive or generate under those contracts? (Reference the NARA CUI Registry.)
  • Where does that CUI live? List every system, server, workstation, cloud service, and mobile device that touches it.
  • How does CUI enter and leave your environment? Map every ingress and egress point.
  • Who handles CUI? List every role (not just individual) that accesses, processes, or transmits it.
  • What external service providers (CSPs, MSPs, IT vendors) have access to or process your CUI?

Document the Scope in Your SSP

Your answers form the basis of Section 1 of your System Security Plan. The boundary you define in the SSP is what a C3PAO will assess against. If a system is in scope, every applicable control applies to it. If a system is legitimately out of scope, document why — with specificity.

Common scoping mistakes to avoid:

  • Excluding shared infrastructure that touches CUI. If your domain controller authenticates users who access CUI, it is in scope.
  • Assuming cloud services are automatically compliant. Your CSP must be FedRAMP Authorized at the Moderate baseline or equivalent, and CUI must be stored only in authorized services.
  • Treating email as out of scope. If CUI is ever sent or received by email, your email platform is in scope.
  • Forgetting mobile devices. If employees access CUI from a phone or tablet, those devices are in scope.

Practical tip: Produce a network diagram that visually shows the CUI boundary — including all systems, data flows, and external connections. This diagram will be the first artifact a C3PAO examines. If your SSP describes a boundary that does not match reality, that discrepancy is itself a finding.

Step 2 — Evidence Gathering Methodology

Each of the 110 NIST SP 800-171 requirements must be supported by evidence. Evidence is the documentation, configuration exports, screenshots, logs, and records that demonstrate a control is implemented and operating effectively — not just planned or described in a policy.

Three Types of Evidence

Examine — Document and artifact review

Policies, procedures, SSP sections, configuration baselines, audit logs, training records, access review records, contracts with external providers, incident reports. These are collected and reviewed for completeness and accuracy.

Interview — Personnel interviews

Conversations with system administrators, security personnel, end users, and management. The DoD Assessment Methodology specifies that assessors must interview personnel to confirm that documented policies and procedures are understood and actually followed. Prepare key personnel to speak to their roles.

Test — Technical verification

Live demonstrations of technical controls — logging into a system to verify MFA is enforced, reviewing firewall rule configurations, running a sample vulnerability scan, demonstrating that a backup restoration process works. Testing is the highest-confidence evidence type.

Building Your Evidence Repository

Organize evidence by control family and requirement number before you begin scoring. A practical folder structure:

Recommended evidence repository structure

  • AC/ — Access Control (3.1.x) — access control policy, MFA screenshots, account review records
  • AT/ — Awareness & Training (3.2.x) — training completion records, training materials
  • AU/ — Audit & Accountability (3.3.x) — log samples, SIEM configuration exports, review records
  • CM/ — Configuration Management (3.4.x) — baselines, change records, software inventory
  • IA/ — Identification & Authentication (3.5.x) — password policy, MFA configuration, account provisioning records
  • IR/ — Incident Response (3.6.x) — IR plan, drill records, any incident reports
  • MA/ — Maintenance (3.7.x) — maintenance logs, remote maintenance policy and controls
  • MP/ — Media Protection (3.8.x) — media handling policy, sanitization records, encryption evidence
  • PS/ — Personnel Security (3.9.x) — screening records, access termination evidence, confidentiality agreements
  • PE/ — Physical Protection (3.10.x) — physical access logs, visitor logs, facility controls evidence
  • RA/ — Risk Assessment (3.11.x) — vulnerability scan results, risk assessment report
  • CA/ — Security Assessment (3.12.x) — internal assessment records, monitoring plan
  • SC/ — System & Comm. Protection (3.13.x) — network diagrams, firewall configs, encryption documentation
  • SI/ — System & Info. Integrity (3.14.x) — patch reports, AV/EDR console exports, integrity check records

Collect evidence before you score. Attempting to score a requirement without evidence in hand leads to optimistic, unverifiable scores — which is the most common cause of SPRS score inaccuracies that later cause problems at a C3PAO assessment.

Step 3 — Scoring Each Requirement

Each of the 110 requirements is evaluated using three possible verdicts. The DoD Assessment Methodology v1.2.1 defines these precisely:

Verdict Definition SPRS Impact
MET The requirement is fully implemented across the entire in-scope environment. All applicable examine, interview, and test evidence supports implementation. No exceptions. No deduction — full point value retained.
NOT MET The requirement is not implemented, partially implemented, or implemented inconsistently across the scope. Even a single system in scope that does not meet the requirement results in NOT MET. Full point value deducted from score.
NOT APPLICABLE The requirement genuinely does not apply to your environment. Must be documented with a specific, defensible technical justification in the SSP. Claimed NA without justification is treated as NOT MET by C3PAO assessors. No deduction — requirement excluded from scoring.

The "All or Nothing" Rule

A critical characteristic of the DoD Assessment Methodology: requirements are generally either fully MET or NOT MET. If your password policy requires 12-character passwords but three workstations are still enforcing 8-character minimums, the requirement is NOT MET for the entire scope — even if 97% of systems are compliant. The Methodology does define a small number of partial-implementation scenarios for specific controls (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11), where partial implementation reduces — but does not eliminate — the point deduction. Outside those named exceptions, treat scoring as binary.

This has a practical implication: before scoring a requirement as MET, verify compliance across every system in scope — not just a representative sample. If you cannot verify every system, document the gap and score it NOT MET.

How to Evaluate Each Requirement

Evaluation workflow for each requirement

  • Read the requirement text in NIST SP 800-171 Rev 2. Read the corresponding discussion section — it explains the intent.
  • Identify which systems are affected. Not every requirement applies to every system equally. Determine the relevant population within your scope.
  • Gather your evidence. Retrieve the relevant documents, configurations, and records from your evidence repository.
  • Evaluate against the requirement. Does the evidence demonstrate full implementation? Is there anything missing?
  • Record your verdict and rationale. Document MET/NOT MET/NA and the specific evidence relied upon. If NOT MET, note the specific gap.
  • Note open items for the POA&M. Every NOT MET finding feeds a POA&M entry.

Common scoring errors to avoid: Scoring MET based on a written policy that has not been verified as implemented. Scoring NA without a documented technical justification. Scoring MET because a control is implemented on most systems but not all. Treating "we plan to implement this" as MET.

Step 4 — SPRS Score Calculation

The Supplier Performance Risk System (SPRS) score is a single integer between −203 and +110 that represents your organization's assessed compliance posture. It is calculated from your requirement verdicts using the DoD's point value system.

SPRS Score Formula
Score = 110 − (sum of point values for all NOT MET requirements)
Starting value 110 points (maximum possible score, assuming all requirements are MET)
5-point controls The most heavily weighted requirements — primarily access control, identification & authentication, and select system & communications protection controls. A single NOT MET here costs 5 points (some controls allow a partial-implementation deduction of 3 points instead).
3-point controls Mid-weight requirements covering configuration management, audit logging, risk assessment, and system integrity.
1-point controls Lower-weight requirements, typically procedural, documentation, or policy controls.
Minimum score −203 per the DoD Assessment Methodology v1.2.1. The minimum is set by the Methodology and reflects the way partial-implementation deductions are applied; you cannot score below −203 regardless of how many requirements are NOT MET.

The exact point value for each of the 110 requirements is published in the DoD Assessment Methodology v1.2.1. Before calculating your score, confirm you have the current point values from that document — they are authoritative. Note that the per-control point assignments are defined by the Methodology, not by NIST SP 800-171 itself.

Submitting Your Score to SPRS

Once calculated, your score must be submitted to the DoD's Supplier Performance Risk System at sprs.csd.disa.mil. The submission requires:

  • Your calculated NIST SP 800-171 score
  • The date of the assessment
  • The CAGE code(s) covered by the assessment
  • The name and title of the senior official affirming the score
  • The plan completion date (if a POA&M exists — i.e., if score is below 110)

Legal obligation: The senior official who submits the SPRS score is affirming under penalty of false claims liability that the score accurately reflects the organization's current compliance posture. Score inflation — submitting a score higher than your actual assessment result — is a federal False Claims Act violation. Score conservatively and accurately.

Step 5 — Documenting Findings in a POA&M

Every requirement scored NOT MET must have a corresponding entry in your Plan of Action & Milestones (POA&M). The POA&M is not optional — it is a required artifact, and C3PAO assessors will review it.

What a POA&M Entry Must Include

Field What to document
Requirement ID The NIST SP 800-171 control number (e.g., 3.5.3) and the full requirement text for reference.
Gap description A specific description of what is not implemented or is implemented inconsistently. Avoid vague language. "MFA not enforced on 4 legacy servers in the manufacturing VLAN" is specific; "MFA gap" is not.
Current state What is currently in place (if anything) — partial implementation, compensating controls, or nothing. Document honestly.
Remediation plan The specific steps that will close the gap — tool procurement, configuration changes, policy updates, personnel actions. Include vendor names and product choices if known.
Responsible owner The name and title of the individual accountable for completing the remediation. Not a team — a specific person.
Milestone dates Intermediate milestone dates for multi-phase remediations, plus a target completion date. Dates must be realistic — assessors will check whether you are tracking to plan.
Resources required Budget, personnel, or external resources needed. This helps demonstrate that the remediation plan is operationally committed, not aspirational.
Point value at risk The SPRS point value for this requirement. Useful for prioritizing which gaps to close first (5-point gaps have higher impact on score than 1-point gaps).

Prioritizing Your POA&M

Not all gaps are equally urgent. Prioritize your POA&M remediation in this order:

Priority 1 — High-point-value, high-risk gaps (5-point requirements)

Requirements worth 5 points in the SPRS calculation and representing high-risk controls: MFA for privileged accounts, encryption of CUI at rest and in transit, multi-hop authentication, remote access controls. These gaps carry the largest SPRS score impact and represent the highest security risk.

Priority 2 — C3PAO deal-breakers (regardless of point value)

Some gaps — even low-point-value ones — may prevent C3PAO certification. Examples: no incident response plan, no SSP, no audit logging whatsoever. These fundamental gaps signal organizational immaturity to an assessor and may result in a failed assessment even if the numeric score would otherwise pass.

Priority 3 — 3-point requirements with achievable remediation

Identify 3-point gaps that can be closed quickly (configuration changes, policy approvals, enabling a feature that is already licensed). These offer the best return on pre-assessment effort.

Priority 4 — 1-point procedural and documentation gaps

Policy updates, procedure documentation, and training record gaps are typically lower-effort to close and can be addressed in parallel with technical remediation work.

POA&M management cadence: Review and update your POA&M at least monthly. As gaps close, update the status. Stale POA&M entries with no progress — especially those with overdue milestone dates — are a finding in themselves and signal to assessors that your compliance program is not operationally active.

Next Steps After Your Self-Assessment

A completed self-assessment gives you three things: an accurate score, a prioritized remediation roadmap, and a compliant SPRS submission. Here is how to use them:

  • Submit your SPRS score immediately if you have not already, or update your existing submission to reflect the new assessment. Failure to have a current score in SPRS is a barrier to contract award.
  • Begin remediation against your POA&M in priority order. Track progress monthly. Update your SPRS submission when significant milestones are reached and the score materially improves.
  • Repeat the self-assessment annually — or more frequently as your environment changes. New systems, new personnel, and new contracts can change your scope and your compliance posture.
  • Engage a C3PAO when your score reflects operational reality and your POA&M gaps are documented and funded. Do not schedule a C3PAO assessment until you have worked through your highest-priority gaps. Assessors are not there to help you identify gaps — they are there to verify that your attestations are accurate.

Related resources: Review the C3PAO assessment process section of the CMMC Guide to understand what to expect during the formal assessment.