CMMC Logo

CMMC vs. NIST 800-171: What US Government Contractors Need to Know

The NIST 800-171 deadline was December 31, 2017, and the CMMC deadline is coming up in 2020. If you’re a government contractor, you’re probably familiar with NIST 800-171. But what about CMMC? It’s in the process of being created but will be the new standard for future Department of Defense (DoD) contracts. Both NIST 800-171 and CMMC pertain to information security processes and standards. 

In this article you will learn:

  • What is CUI (back to the basics, but it’s important!)
  • What is NIST 800-171 and how to comply
  • What is CMMC and how to comply
  • What is the CMMC Accreditation Body
  • Differences between NIST 800-171 and CMMC
  • Sample compliance checklist for small firms

Because CMMC is not currently finalized, this article will be updated as more information becomes available. 

What is Controlled Unclassified Information (CUI)?

According to the National Archives and Records Administration (NARA), Controlled Unclassified Information (CUI) is:

…information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

What does that actually mean? CUI is information created or owned by the US government and needs to be protected due to a law, regulation or government-wide policy. Instead of using designations like “For Official Use Only” or “Sensitive But Unclassified”, the designation CUI is used instead. 

The CUI Registry contains information about the categories and subcategories of CUI. In addition, it specifically states what is considered CUI and how to properly mark the information.

NIST 800-171 screenshot

What is NIST 800-171?

NIST 800-171 was developed by the National Institute of Standards and Technology (NIST) to provide standards of protecting CUI. NIST 800-171 contains 109 specific things that you, as a government contractor, must do to help protect the United States against cybersecurity attacks. The deadline for compliance with NIST 800-171 was December 31, 2017. 

Hackers want to learn what you sell to the government (and in what amounts) to gain intelligence about US government activity and military plans. By implementing NIST 800-171, the DoD was trying to make it harder for cyber attackers.

NIST 800-171 Control Families and Requirements

NIST 800-171 contains a long list of security requirements. This can be quite overwhelming for small firms since there are 109 specific task items within these 14 control families:

NIST 800-171 CONTROL FAMILIES
Access ControlMedia Protection
Awareness and TrainingPersonnel Security
Audit and AccountabilityPhysical Protection
Configuration ManagementRisk Assessment
Identification and AuthenticationSecurity Assessment
Incident ResponseSystem and Communications Protection
MaintenanceSystem and Information Integrity

Compliance with NIST 800-171

If you’re a government contractor and need access to CUI, you must follow the security procedures outlined in NIST 800-171 and verify compliance. In addition, your customers will soon start auditing your compliance with NIST 800-171 (if they haven’t already). When they do, they’re not going to accept a simple “yes” or “no” answer.

You need to prove that your computers are protected against hackers, that your staff knows how to handle confidential government data and that your team knows how to spot a cyber attack AND how to handle it responsibly. Most importantly, you need to protect your revenue by proving that you were open and transparent when you said “yes, we comply with NIST 800-171.” 

At the end of this article we have a link to the current version of NIST 800-171 if you want to see what’s involved with compliance. You need to prove compliance, but you are able to do this through self-certification. 

Even though the deadline has technically passed, it is critical to start the process of complying with NIST. Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Schedule a Strategy Session to get started

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is in the process of being created. It contains 17 capability domains and 5 levels of cybersecurity maturity. CMMC will serve as a verification method to ensure compliance with certain cybersecurity practices to protect CUI.

The Department of Defense (DoD) is planning to shift to the CMMC framework to create a unified cybersecurity standard for DoD contracts. According to The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), “security is foundational to acquisition and should not be traded along with cost, schedule and performance moving forward”. 

Basically, too many contractors didn’t comply with NIST 800-171 before (or after) the deadline, so the CMMC is a reaction to that. As a result, contractors will need a valid CMMC certification (of a certain level) to bid or win a DoD contract. Allowing firms to self-certify their compliance with NIST 800-171 is not working, so they’re moving towards a third-party audit process with CMMC. 

CMMC Capability Domains and CMMC Maturity Levels

There are 17 capability domains within CMMC, many of which you’ll recognize from the NIST 800-171 control families. Domains designated with * are not included with NIST 800-171.

CMMC CAPABILITY DOMAINS
Access ControlPersonnel Security
Asset Management*Physical Protection
Awareness and TrainingRecovery*
Audit and AccountabilityRisk Management
Configuration ManagementSecurity Assessment
Identification and AuthenticationSituational Awareness*
Incident ResponseSystem and Communications Protection
MaintenanceSystem and Information Integrity
Media Protection 

There are 5 maturity levels. Higher CMMC levels means higher restrictions and advanced cybersecurity protections. 

MATURITY LEVELS
LEVELPROCESSESPRACTICESFOCUS
Level 1PerformedBasic Safeguard Federal Contract Information (FCI)
Level 2DocumentedIntermediateTransition step in cybersecurity maturity
Level 3ManagedGoodProtect CUI
Level 4ReviewedProactiveProtect CUI and reduce risk of threats
Level 5OptimizingAdvancedProtect CUI and reduce risk of threats

*Note for MSPs: Only a very small percentage of government contractors will be over Level 3. You shouldn’t need any full-time staff to be added (like a full-time security person) for Levels 1-3. It will still be a lot of work if your clients don’t have anything in place, but you don’t need to go crazy on monitoring and staffing. If your client isn’t very large, then you probably don’t need to worry about Level 4 or 5.

CMMC Accreditation Body  

So how do you receive your CMMC Level? Your organization will need to be certified. There won’t be an option for self-certification.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is a non-profit, independent organization overseeing CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. 

As of May 2020, the CMMC-AB’s website indicates that the CMMC is still being finalized, so there are currently no complete standards to follow (yet) and no training for assessors (yet). Which means there is no way to curently receive your CMMC Level. 

But the model will be finalized in 2020 and audits will begin after that. So you should start preparing.

How can you prepare for a CMMC audit? 

Even without a complete standard to follow, your organization can get started on a self-assessment by utilizing the most current CMMC Model (March 18, 2020 v1.02). Assessing your organization against NIST 800-171 would also be wise. 

Near the end of this article you’ll find a sample compliance checklist and direct links to NIST 800-171. We cannot stress enough that if you are a government contractor and want to continue working as a government contractor you need to be prepared for a CMMC audit. The best way to prepare for the CMMC audit is to comply with NIST 800-171 ASAP. Then, once CMMC is fully finalized you won’t have an overwhelming amount of work to do. 

The CMMC-AB’s website also indicates “ We do not speak for the DoD, but they have previously indicated that they intend to introduce CMMC requirements into solicitations on a gradual basis starting in September 2020”. Use that as your deadline!

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Schedule a Strategy Session to get started

NIST 800-171 vs. CMMC: how are they different?

As we’ve explained, there are similarities between NIST 800-171 and CMMC. Both regulations pertain to cybersecurity standards and protecting CUI. Here are some major differences:

  1. Organizations can self-assess their compliance with NIST 800-171. CMMC requires third-party assessments.
  2. CMMC includes three new domains: Asset Management, Recovery and Situational Awareness.
  3. CMMC has five different levels of maturity. 

Complying with NIST 800-171 is very close to achieving CMMC Level 3. This means there are two “lower” levels of CMMC, which essentially scales down the cybersecurity requirements for smaller organizations. This also means there are two “higher” levels of CMMC, which include additional practices and standards. 

If I comply with NIST 800-171 am I compliant with CMMC?

Right now the answer is “we don’t know”. The CMMC standard is still being created. Based on the screenshot below, it makes sense to start with NIST 800-171 compliance ASAP so you are well prepared for a CMMC audit. 

CMMC screenshot

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Schedule a Strategy Session to get started

NIST/CMMC: Sample Checklist for Compliance

Small firms, this section is for you! You may be wondering about the overall cost for compliance. For the clients we work with (even small ones), it’s usually at least in the tens of thousands of dollars between the audit, the documentation, and all of the technology fixes required. It’s definitely worth asking “are you sure you want to keep doing business with the DoD” before you go too far down the path.

In terms of getting your arms around cost, here’s what we typically see small companies need to do to get there (this isn’t a complete list, just some of the big things):

  • Finally get their arms around Active Directory permissions and their messy file shares
  • 2FA all the things, even at computer login and on any email access
  • Segregate out all of those old WinXP/Win7 computers so they can’t touch the Internet or, if possible, the network
  • Get everything up to Win10
  • Start doing vulnerability scanning and get patching under control (third party too)
  • Implement higher-security logging across all machines, and selectively collect logs into a SIEM
  • Roll out some kind of MDR
  • Roll out some kind of MDM
  • Enforce encryption on all devices
  • Set up visitor tracking software
  • Badge all the doors and restrict access
  • Make sure firewalls are up to snuff
  • Big old policy
  • Lots of upfront and ongoing training
  • Ongoing training and phishing tests
  • Stop people from using Dropbox and Google Drive and install a properly secured file sharing mechanism
  • Move everyone off of Admin accounts to Standard on their local machine
  • Replace Wi-Fi routers with FIPS-140-validated
  • Set up a way to assess the compliance of their downstream vendors
  • Lots of physical security and process changes to make sure that paper can’t be stolen, criminal background checks on hiring, etc.

And the list goes on. That’s not meant to be exhaustive, and during your gap assessment you might find good reasons why some of these aren’t necessary.

Helpful CMMC Links

Securing the DoD Supply Chain: Experts discuss CMMC’s impact on suppliers: video featuring DoD CISO Katie Arrington 

CMMC Model: Overview briefing, current Model and Appendices

CMMC Accreditation Body Website

CMMC Audit Preparation – Community Resources

NIST 800-171 v2 – use for self-assessment before a CMMC audit

National Checklist Program Repository – NIST 800-171 security checklists

Conclusion

The deadline for NIST 800-171 has long since passed. Whether you self-certified your organization or put it off, you can’t do that for much longer. CMMC encompasses NIST 800-171 and there won’t be an option for self-certification. If you have contracts with the DoD, you will be audited by the CMMC-AB. So it’s best to prepare sooner than later if you want to continue with government contracts. 

Use NIST 800-171 and the current model of the CMMC to start preparing for your CMMC audit. 

Want help with your cybersecurity?

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Schedule a Strategy Session to get started

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Leave a Comment