NIST 800-171 vs. CMMC Compliance
Are you up-to-date with the changes around NIST 800-171 requirements? With CMMC compliance, how do you know which certification is right for your organization?
What is NIST 800-171?
NIST Special Publication 800-171 provides federal agencies with recommended requirements for protecting the confidentiality of controlled unclassified information (CUI):
- when the CUI is resident in nonfederal information systems and organizations;
- when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
NIST SP 800-171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. A nonfederal information system is a system that does not meet the criteria for a federal system. A federal system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency
NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171
Who Does NIST 800-171 Apply To?
NIST 800-171 is typically valid for federal government contractors and sub-contractors. Many external vendors today work with the federal government to help carry out a wide range of business functions. Because of all the sensitive information transferred from the government to these vendors, the government is cracking down on the compliance and security regulations for these vendors – and any companies that work with those vendors or service providers.
What is CMMC Compliance?
Cybersecurity Maturity Model Certification, or CMMC, is a unified cybersecurity standard for future Department of Defense (DoD) acquisitions. CMMC model framework organizes processes and cybersecurity best practices into a set of domains including:
- Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
− An organization will continue to perform the activity – including under times of stress – and
− The outcomes will be consistent, repeatable, and of high quality. - Practices are activities performed at each level for the domain
Read More in the CMMC Model Briefing PDF
Beginning in the fall of 2020, CMMC compliance will be a prerequisite for all new contracts including prime and subcontractor for the Department of Defense. Any contractor storing or transmitting controlled unclassified information (CUI) will need to achieve Level 3 compliance.
The Department of Defense has defined 5 levels of CMMC compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and below. The Department of Defense has released the following descriptions of each level of CMMC:
Level 1: Basic Cybersecurity
Level 2: Inclusive of universally accepted cybersecurity best practices
Level 3: Coverage of all NIST 800-171 rev 1 controls
Level 4: Advanced and sophisticated cybersecurity practices
Level 5: Highly advanced cybersecurity practices
CMMC vs. NIST 800-171?
Unlike NIST SP 800-171, which required DoD contractors to self-certify to either be compliant or to be taking concrete steps towards compliance, CMMC makes provisions for third-party assessment organizations (C3PAOs) to analyze the company and assign a maturity level based on the state of its cybersecurity program. 1 is the lowest rating and 5 is the highest rating.
According to the Infosec Institute, it’s important to understand how CMMC grew out of NIST 800-171 to get a better understanding of which compliance level will work for you.
On January 30, 2020, the DoD released CMMC, which was intended to replace NIST 800-171 compliance across the DIB and remedy the issue of non-compliance of some vendors. In past years, primary contractors or subcontractors have struggled to implement specific security measures and assess and report their progress while having already been awarded a defense contract and entrusted with the handling of sensitive data.
The CMMC is the DoD’s means to combat the incredible number of cyber threats directed at the DIB and respond to significant compromises of sensitive defense information located on contractors’ information systems. This unified standard for DoD acquisitions will expand cybersecurity requirements to contractors and their supply chains to reduce the impact of advanced persistent threat (APT) attacks.
However, with the coming mandate of CMMC, many companies may be struggling to address the various requirements within the model. Many things have changed between the current standard NIST SP 800-171r1 and CMMC which will require a great deal of work for current contractors. Connect with Cybriant to learn more about our CMMC Guidance.
3 Facts About NIST 800-171
Since these services provided by outside vendors and contracts are essential to the federal government, we have provided a list of 3 requirements necessary for any government-related contractors and the importance of understanding the specifications of NIST 800-171.
Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations. The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.
#1 Your Federal Funding Is at Risk If You Are Not Compliant!
Originally, this was the rule for any Department of Defense contractor that stored or transmitted Controlled Unclassified Information (CUI). Known as DFARS Compliance, this regulation went into effect at the end of 2017.
Today, this is being extended to any vendor, service provider, or contractor that is contracted by any entity that works with the federal government.
Here’s the original DFARS wording:
All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017, or risk losing their DoD contracts.
DFARS Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rule and clauses and be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm.
#2 NIST 800-171 is for ALL Government Contractors – not just those with a DoD contract
If you work with a large government contractor, you may have heard some buzz that all contractors must comply with the NIST framework, specifically NIST 800-171. And not only the contractors but any vendors or service providers that are outsourced by those contractors must also comply as well.
If your organization falls in this category, it’s important to understand what is involved in the specifications of NIST 800-171.
Start with a security assessment to help understand your current state of security. Be sure to work with a company like Cybriant that understands the NIST framework, especially the specifications around NIST 800-171 regulations, and can bring you to a state of compliance, so you aren’t at risk of losing business.
Your organization may need to upgrade security policy and procedures as well as ensure your network, email, endpoints, etc. are secure according to the specifications of NIST 800-171.
#3 An Outside Organization Is Your Best Resource
There are more than 100 security requirements in NIST 800-171. While it may seem an easy task to undertake, think about the consequences of not getting it right. Your team needs to understand the language that will be used by federal auditors like controlled information, controlled technical information, controlled unclassified information, etc.
An outside organization will not only help translate any government lingo that your team may not be used to, but they will also help put in real-world terms the tasks that are required to be completed.
Work with an organization like Cybriant to take a high-level look at your organization through a security assessment, and then use our services, technology, and experts to give you granular detail on the steps to become compliant.
If your organization wants to continue receiving grants from the federal government or continue to win government contracts, then it’s important to become compliant with the NIST framework early and understand the specifications of NIST 800-171.
