A plain English assessment across all 14 NIST SP 800-171 control domains. Score your current posture, identify your highest risk gaps, and understand your estimated SPRS score range before you spend a dollar.
How to use this checklist: For each control, select the response that best describes your current state. The live score at the bottom gives you an estimated SPRS range. Controls with deduction values of 3 or 5 points are your highest priorities.
This tool is for planning and self evaluation purposes. The official SPRS score submitted to DoD must reflect your actual implementation. Verdiex Professional calculates your score from your full questionnaire responses and generates the complete System Security Plan that documents your implementation.
Only authorized users, processes, and devices can access your information systems and CUI.
Users are restricted to only the functions and data they need to do their jobs (least privilege).
You have policies that prevent CUI from flowing to unauthorized individuals or systems.
No single person has all the access and authority needed to commit fraud or cause major damage undetected.
Users have the minimum access required to perform their duties, and this is enforced systematically.
Administrators use separate accounts for administrative tasks vs routine work.
Ordinary users cannot install software, change security settings, or perform other admin actions.
Systems lock out accounts after a defined number of failed login attempts.
Users are notified about system use policies and monitoring before accessing systems that handle CUI.
Computers automatically lock after a defined idle period and require re-authentication.
Sessions end automatically after inactivity or when users complete tasks.
Remote connections are logged and controlled, not open by default.
Remote access uses encryption (VPN, TLS, etc.) to protect data in transit.
Remote access is channeled through specific, controlled entry points rather than ad hoc connections.
Admin commands run remotely are authorized and limited to documented operational requirements.
Wireless access requires explicit authorization; unauthorized wireless devices are blocked.
Wi-Fi networks use strong authentication and encryption (WPA2 or better).
Mobile device use is controlled, with policies for personal devices accessing company systems.
Laptops, phones, and tablets with CUI are encrypted.
Connections to external networks, cloud services, and systems outside your environment are reviewed and controlled.
You control whether USB drives and portable storage can be used on systems not owned or controlled by you.
CUI does not appear on your public website, social media, or publicly accessible systems.
Employees receive security awareness training covering the risks associated with their activities and CUI handling.
People in security roles receive training specific to those responsibilities.
Training specifically covers recognizing phishing, social engineering, and other insider threats.
Your systems generate logs of security relevant events and you retain those logs for review and analysis.
Logs are detailed enough to identify which specific user performed each recorded action.
You periodically review what events are being logged and update the list as needed.
You are notified when audit logging stops working so you know about gaps in your audit trail.
Audit logs from different systems are reviewed together to identify patterns and anomalies.
You have tools or processes to summarize and report on audit data without losing original detail.
System clocks are synchronized so that timestamps across logs are consistent and reliable.
Only authorized personnel can access, modify, or delete audit logs. Logs cannot be altered by regular users.
Only a small group of trusted administrators can manage the audit logging system itself.
You regularly review your security controls to determine if they are effective and correctly implemented.
When you find gaps, you document them in a Plan of Action and Milestones (POA&M) and track remediation.
Security control effectiveness is monitored continuously, not just during periodic reviews.
You maintain a written System Security Plan describing your systems and how controls are implemented, and you keep it current.
You document the standard, approved configuration for your systems and can verify systems match it.
Security hardening settings (strong passwords, disabled unnecessary services, etc.) are applied and enforced.
Changes to your systems go through an approval process and are logged.
Before making changes, you assess how they might affect your security posture.
Changes to system configurations require documented authorization before they happen.
Systems are configured to provide only what is needed for their purpose. Unnecessary services, ports, and applications are disabled.
You actively restrict or disable programs and features not needed for business operations.
Only approved software is allowed to run (whitelist approach rather than blacklist).
Users cannot install unapproved software, or at minimum you monitor what gets installed.
Every user, service, and device that accesses your systems has a unique identifier.
Every access attempt requires authentication, not just a username.
Administrator accounts require more than just a password to log in.
Authentication is designed so that captured login credentials cannot be replayed to gain access.
User IDs are managed through a defined lifecycle: created, maintained, and deactivated when no longer needed.
Passwords and other authentication credentials follow defined policies for strength, rotation, and revocation.
Password policies require a minimum length and complexity, and passwords must be changed periodically.
Users cannot cycle back to previously used passwords.
Temporary passwords (for new accounts or resets) require the user to set a new password immediately.
Passwords are stored as hashes, not in plaintext, and are never transmitted unencrypted.
Passwords are hidden during entry (shown as dots or asterisks) to prevent observation.
You have a documented plan for responding to security incidents, including roles, communications, and escalation.
Security incidents are logged, tracked to resolution, and reported to appropriate stakeholders including DoD as required.
You periodically test your incident response plan through drills or tabletop exercises.
System maintenance is performed on a schedule and documented.
Only approved personnel using approved tools perform maintenance on systems that handle CUI.
When equipment leaves your facility for repair, CUI is removed or the device is sanitized first.
USB drives or other media used for maintenance are scanned for malware before use.
Remote maintenance access (e.g., vendor support) requires multifactor authentication.
Maintenance personnel who do not have security clearance or authorization are supervised while working on your systems.
Physical and digital media holding CUI is protected from unauthorized access.
Only authorized personnel can access media containing CUI.
Old hard drives, USB drives, and printed documents with CUI are properly destroyed before disposal.
Physical and digital media containing CUI is labeled according to CUI marking requirements.
Access to CUI media is tracked and controlled.
CUI transferred on portable media is encrypted.
Use of USB drives and other removable storage is controlled and tracked.
Unidentified or anonymous USB drives cannot be connected to systems handling CUI.
Backups of systems containing CUI are protected with the same level of care as the originals.
Only authorized personnel can physically access areas or equipment that process or store CUI.
Your facility has physical security controls (locks, access badges, cameras, etc.) protecting your systems.
Visitors are escorted in secure areas and their access is monitored.
Physical entry to CUI areas is logged (badge readers, visitor logs, etc.).
Keys, badges, and other physical access tokens are managed and revoked when no longer needed.
Employees working from home or other locations follow the same CUI protection rules as in the office.
Background checks or other screening are conducted for personnel who will have access to CUI.
When employees leave, access is revoked promptly and equipment, credentials, and data are returned or secured.
You conduct formal risk assessments at defined intervals to identify threats to your systems and CUI.
Vulnerability scans are run regularly to identify known security weaknesses in your systems.
Identified vulnerabilities are patched or mitigated based on their risk level within defined timeframes.
Traffic entering and leaving your network is monitored and controlled at firewalls or equivalent boundaries.
Security is built into your systems design rather than bolted on after the fact.
Administrative interfaces are separate from regular user interfaces.
Your systems prevent sensitive information from leaking to unauthorized locations or individuals.
Systems that face the public internet are in a separate network segment (DMZ) from internal CUI systems.
Firewall rules default to deny; only explicitly allowed traffic passes through.
Split tunneling is disabled so remote workers accessing your network route all traffic through it.
CUI is encrypted whenever it travels over networks, including internal networks.
Network sessions time out after defined periods of inactivity.
Encryption keys are generated, stored, and rotated according to a documented process.
Cryptographic modules used to protect CUI have been validated under the FIPS 140-2 standard.
Webcams, microphones, and other collaborative devices cannot be activated remotely without user notification.
Mobile code (JavaScript, ActiveX, etc.) used on your systems is reviewed and controlled.
Voice over IP systems are monitored and controlled, especially when used to discuss CUI.
Communications sessions are protected against hijacking and spoofing attacks.
CUI stored on servers, laptops, and storage systems is encrypted at rest.
You have a process to identify software bugs and security flaws and patch them in a timely manner.
Antivirus and malware protection software is deployed on systems that could be exposed to malicious code.
You receive and review security alerts about new vulnerabilities affecting your technology.
Antivirus definitions and other malware protection tools are updated regularly, automatically where possible.
Scheduled malware scans run regularly, and files are scanned on download or execution.
You monitor your systems for signs of intrusion or attack, not just malware.
You can detect when someone is using your systems in ways that fall outside authorized patterns.
Verdiex Professional generates your full System Security Plan and calculates your official SPRS score from your complete questionnaire responses.
Get early access