How long should a Basic Assessment take under the DoD Assessment Methodology?
It depends on the size of the company. But one thing is for sure: it will take much longer than the 30 minutes described in the interim…
It depends on the size of the company. But one thing is for sure: it will take much longer than the 30 minutes described in the interim rule.
DoD estimates that the burden to calculate the Basic Assessment score is thirty minutes per entity at a journeyman-level-2 rate of pay (0.50 hour * $99.08/hour = $49.54/assessment). -DFARS Case 2019-D041, IV.D.1
![](https://substackcdn.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2Ff05885f6-bf90-43bb-8ecb-d9d92557d652_800x600.jpeg)
What is the DoD Assessment Methodology?
Just as a quick primer, the DoD Assessment Methodology provides a standard method to determine how well a contractor meets NIST SP 800–171 by giving each control a point value. A contractor will get 1 point for each successfully implemented security requirement. But must subtract either 1, 3, or 5 points for unmet requirements. So yes, a negative score is possible.
Yes? or No?
The DoD’s assumption of 30 minutes tells me that they haven’t read their own guidance. NIST SP 800–171 and the DoD Assessment Methodology clearly state that NIST SP 800–171A should be used to conduct the assessment.
The 171A document includes a list of assessment objectives for each security requirement (a total of 320 unique objectives). Some security requirements have one objective; some may have up to 15.
Simply running down the list of 110 requirements and saying yes or no to its implementation without consulting 171A is a fool’s errand.
If you cannot affirm every assessment objective for a single requirement, you can’t mark it as implemented.
Information and Evidence
NIST SP 800–171A clearly states that the assessment process is an information-gathering and evidence-producing activity.
The assessment process is an information-gathering and evidence-producing activity to determine the effectiveness of the safeguards intended to meet the set of security requirements specified in NIST Special Publication 800–171. -NIST SP 800–171A, 1.1
A Basic DoD Assessment should address all 320 assessment objectives in 171A and produce evidence to prove its implementation to an assessor.
Taking a Shortcut
Even if you ignore the assessment criteria and do no evidence-gathering, assessing the 110 controls at a high level would still require a considerable amount of time and resources. Taking this kind of shortcut may not be defensible on an official Government assessment. And it certainly does not follow the DoD Assessment Methodology’s intent. NIST SP 800–171 spans 14 categories and a wide range of information. How likely is it that one person in your company knows it all? It’s more probable that a Basic DoD Assessment will take multiple individuals on many fact-finding missions to complete.