NIST 800-171 vs. CMMC Compliance

NIST 800-171 vs. CMMC Compliance

Are you up-to-date with the changes around NIST 800-171 requirements? With CMMC compliance, how do you know which certification is right for your organization? 


What is NIST 800-171?

NIST Special Publication 800-171 provides federal agencies with recommended requirements for protecting the confidentiality of controlled unclassified information (CUI):

  1.  when the CUI is resident in nonfederal information systems and organizations;
  2.  when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

NIST SP 800-171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. A nonfederal information system is a system that does not meet the criteria for a federal system. A federal system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171

Who Does NIST 800-171 Apply To?

NIST 800-171 is typically valid for federal government contractors and sub-contractors. Many external vendors today work with the federal government to help carry out a wide range of business functions. Because of all the sensitive information transferred from the government to these vendors, the government is cracking down on the compliance and security regulations for these vendors – and any companies that work with those vendors or service providers.

What is CMMC Compliance?

Cybersecurity Maturity Model Certification, or CMMC,  is a unified cybersecurity standard for future Department of Defense (DoD) acquisitions. CMMC model framework organizes processes and cybersecurity best practices into a set of domains including:

  • Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
    − An organization will continue to perform the activity – including under times of stress – and
    − The outcomes will be consistent, repeatable, and of high quality.
  •  Practices are activities performed at each level for the domain

Read More in the CMMC Model Briefing PDF

Beginning in the fall of 2020, CMMC compliance will be a prerequisite for all new contracts including prime and subcontractor for the Department of Defense. Any contractor storing or transmitting controlled unclassified information (CUI) will need to achieve Level 3 compliance.

The Department of Defense has defined 5 levels of CMMC compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and below. The Department of Defense has released the following descriptions of each level of CMMC:

Level 1: Basic Cybersecurity
Level 2: Inclusive of universally accepted cybersecurity best practices
Level 3: Coverage of all NIST 800-171 rev 1 controls
Level 4: Advanced and sophisticated cybersecurity practices
Level 5: Highly advanced cybersecurity practices

Learn more

CMMC vs. NIST 800-171?

Unlike NIST SP 800-171, which required DoD contractors to self-certify to either be compliant or to be taking concrete steps towards compliance, CMMC makes provisions for third-party assessment organizations (C3PAOs) to analyze the company and assign a maturity level based on the state of its cybersecurity program. 1 is the lowest rating and 5 is the highest rating.

According to the Infosec Institute, it’s important to understand how CMMC grew out of NIST 800-171 to get a better understanding of which compliance level will work for you.

On January 30, 2020, the DoD released CMMC, which was intended to replace NIST 800-171 compliance across the DIB and remedy the issue of non-compliance of some vendors. In past years, primary contractors or subcontractors have struggled to implement specific security measures and assess and report their progress while having already been awarded a defense contract and entrusted with the handling of sensitive data.

The CMMC is the DoD’s means to combat the incredible number of cyber threats directed at the DIB and respond to significant compromises of sensitive defense information located on contractors’ information systems. This unified standard for DoD acquisitions will expand cybersecurity requirements to contractors and their supply chains to reduce the impact of advanced persistent threat (APT) attacks.

However, with the coming mandate of CMMC, many companies may be struggling to address the various requirements within the model. Many things have changed between the current standard NIST SP 800-171r1 and CMMC which will require a great deal of work for current contractors. Connect with Cybriant to learn more about our CMMC Guidance. 

3 Facts About NIST 800-171

Since these services provided by outside vendors and contracts are essential to the federal government, we have provided a list of 3 requirements necessary for any government-related contractors and the importance of understanding the specifications of NIST 800-171.

Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations. The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.


#1 Your Federal Funding Is at Risk If You Are Not Compliant!

Originally, this was the rule for any Department of Defense contractor that stored or transmitted Controlled Unclassified Information (CUI). Known as DFARS Compliance, this regulation went into effect at the end of 2017.

Today, this is being extended to any vendor, service provider, or contractor that is contracted by any entity that works with the federal government.

Here’s the original DFARS wording:

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017, or risk losing their DoD contracts.

DFARS Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rule and clauses and be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm.


#2 NIST 800-171 is for ALL Government Contractors – not just those with a DoD contract

If you work with a large government contractor, you may have heard some buzz that all contractors must comply with the NIST framework, specifically NIST 800-171. And not only the contractors but any vendors or service providers that are outsourced by those contractors must also comply as well.

If your organization falls in this category, it’s important to understand what is involved in the specifications of NIST 800-171.

Start with a security assessment to help understand your current state of security. Be sure to work with a company like Cybriant that understands the NIST framework, especially the specifications around NIST 800-171 regulations, and can bring you to a state of compliance, so you aren’t at risk of losing business.

Your organization may need to upgrade security policy and procedures as well as ensure your network, email, endpoints, etc. are secure according to the specifications of NIST 800-171.

#3 An Outside Organization Is Your Best Resource

There are more than 100 security requirements in NIST 800-171. While it may seem an easy task to undertake, think about the consequences of not getting it right. Your team needs to understand the language that will be used by federal auditors like controlled information, controlled technical information, controlled unclassified information, etc.

An outside organization will not only help translate any government lingo that your team may not be used to, but they will also help put in real-world terms the tasks that are required to be completed.

Work with an organization like Cybriant to take a high-level look at your organization through a security assessment, and then use our services, technology, and experts to give you granular detail on the steps to become compliant.

If your organization wants to continue receiving grants from the federal government or continue to win government contracts, then it’s important to become compliant with the NIST framework early and understand the specifications of NIST 800-171.

4 Necessary Elements of a Compliance Management Framework

Start With an Assessment

5 Building Blocks for a Solid Cybersecurity Foundation

5 Building Blocks for a Solid Cybersecurity Foundation

The cybersecurity sector is constantly growing and is already a part of the strategy of many organizations. This article will give you complete information on How to Build a Solid Cybersecurity Foundation.

What is the current state of cybersecurity?

Technology has evolved and innovated making our lives easier and our jobs more productive. Today, technology is controlling critical aspects of our society such as financial markets, electricity networks, air routes, hospitals, etc.

In addition, we increasingly rely on smart devices (telephones, cars, televisions, and refrigerators). This overwhelming pace of innovation and adoption of technology, in times of digital transformation and therefore increased the complexity of systems, requires global awareness of the security, fraud, and privacy risks that are increasing even more rapidly.

These risks of which senior management must be aware must be continuously measured and monitored, forming part of the organization’s strategy and establishing a culture of cybersecurity.

Here we will learn about the main 5 building blocks for a solid cybersecurity foundation.

#1. SIEM (Security Information and Event Management):

Many abnormal attitudes, tendencies, and patterns are not in the ordinary. This is achieved by SIEM (Security Information and Event Management).

What the SIEM system does is centralize the storage and interpretation of records, so that it offers almost real-time analysis to the digital security team which can thus act much faster.

For its part, the SIEM system is collecting data in a central database to track trends and achieve patterns of behavior that can serve to detect others that are not common.

This system, of course, also provides central reports. From the union of both the acronyms, we are trying, SIEM, that can unite in a single system all the virtues of its two origins.

Undoubtedly, what is achieved by working with SIEM is not only better management of the working time of the security team and a greater facility to carry out their tasks but it also shortens the times of action, something fundamental for a company in case of threat urgent.

Learn more about Managed SIEM here.

#2. EDR (Endpoint Detection and Response):

The traditional protection systems which we all know as antivirus have until now pretty well-controlled viruses that have historically infected millions of computers. These types of viruses are executable files that aim to contaminate as many computers as possible so that they can be controlled and used for illicit purposes.

Unfortunately, cybercriminals have managed to find different ways to get control of computers, mobile devices, and web servers as they have a great ability to recycle their methods.

The EDR (Endpoint Detection & Response) technology promises to be the missing piece to complete that shield against the computer crime we need.

EDR produces a specific list for each client since their executables are analyzed and their behavior is ensured that they do not change. So if one of them gets out of the mold, an alert is activated.

EDR serves to detect new threats and avoid the need to block all malware by working specifically. EDR platforms monitor all executable programs by performing more thorough control.

Learn more about Managed EDR here.

#3. Patch Management:

Patch Management is also one of the parts of a Cybersecurity Foundation. Many large companies want to reduce the vulnerability of their systems. Mostly they make use of a security patch. As cybercriminals intensify their attacks, it is essential to maintain the pace for defense against these attacks.

A security patch is a cybersecurity solution for an organization and although no application is perfect, they are highly effective, even years after a program has been launched.

Its application depends not on the business sector but on the type of vulnerability that is had within the organization.

Types of patches according to their codes:

Patches to binary files: They constitute an update of the executable file of a program.

Patches to the source code: Includes a text file that details modifications to be made in the source code of the program in question.

Benefits of Patch Management:

  • Designed to work in On-Premise and Cloud environments.
  • Highly scalable.
  • Easy to install.
  • Fully automated and highly customizable.

Learn more about Managed Patch Management.

#4. Vulnerability Management:

Vulnerability Management is also one of the essential blocks for a solid Cybersecurity Foundation.

Vulnerability management is a continuous IT process consisting of the identification, evaluation, and correction of vulnerabilities in the information systems and applications of an organization.

Faced with sophisticated IT environments and the growing list of possible problems in the database and network security, IT departments with budgetary constraints find it impossible to deal with all known vulnerabilities at present.

Due to the high number of distributed update reviews and the difficulty in quantifying the value of security repairs for business managers, mitigating the weakness of critical networks and applications is a constant challenge.

Without a vulnerability management process that helps to prioritize correction tasks, companies can neglect to take the necessary measures to prevent harmful network attacks. In addition, vulnerability management not only helps the company to proactively solve urgent security problems but also contributes to compliance with industry standards.

Learn more about Real-Time Vulnerability Management. 

#5. Experienced Team:

An experienced team recognizes the high level of experience, specialization, professional quality, and demonstrated and accredited training of its cybersecurity solutions.

Our experienced team offers cutting-edge technology to offer various services such as secure web browsing and protecting its clients’ access to services and applications hosted in the cloud.

We prevent the accidental download of malware that can cause information leaks or interrupt the activity in the company or organization. More than half of cybersecurity clashes registered are related to this type of attack which causes high economic damage and losses the esteem of the institution or company.

In addition to offering secure navigation services and protection of cloud services, we provide a comprehensive security service from its network that manages all the companies’ environments to reduce the exposure of their resources to an attack and the risk of suffering a security incident.

If your organization lacks the resources required to build a solid Cybersecurity Foundation, do not hesitate to contact us. We are very well experienced and will help you to put the right solutions in the right place and manage them suitably.

Financial Cybersecurity: Are Banks Doing Enough to Protect You?

Build a Cybersecurity Foundation