NIST 800–171 vs. CMMC Compliance

Are you up-to-date with the changes around NIST 800–171 requirements? With CMMC compliance, how do you know which certification is right for your organization?

What is NIST 800–171?

  1. when the CUI is resident in nonfederal information systems and organizations;
  2. when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

NIST SP 800–171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. A nonfederal information system is a system that does not meet the criteria for a federal system. A federal system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800–171

Who Does NIST 800–171 Apply To?

What is CMMC Compliance?

  • Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
    − An organization will continue to perform the activity — including under times of stress — and
    − The outcomes will be consistent, repeatable, and of high quality.
  • Practices are activities performed at each level for the domain

Read More in the CMMC Model Briefing PDF

Beginning in the fall of 2020, CMMC compliance will be a prerequisite for all new contracts including prime and subcontractor for the Department of Defense. Any contractor storing or transmitting controlled unclassified information (CUI) will need to achieve Level 3 compliance.

The Department of Defense has defined 5 levels of CMMC compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and below. The Department of Defense has released the following descriptions of each level of CMMC:

Level 1: Basic Cybersecurity
Level 2: Inclusive of universally accepted cybersecurity best practices
Level 3: Coverage of all NIST 800–171 rev 1 controls
Level 4: Advanced and sophisticated cybersecurity practices
Level 5: Highly advanced cybersecurity practices

Learn more

CMMC vs. NIST 800–171?

According to the Infosec Institute, it’s important to understand how CMMC grew out of NIST 800–171 to get a better understanding of which compliance level will work for you.

On January 30, 2020, the DoD released CMMC, which was intended to replace NIST 800–171 compliance across the DIB and remedy the issue of non-compliance of some vendors. In past years, primary contractors or subcontractors have struggled to implement specific security measures, assess and report their progress while having already been awarded a defense contract and entrusted with the handling of sensitive data.

The CMMC is the DoD’s means to combat the incredible number of cyberthreats directed to the DIB and respond to significant compromises of sensitive defense information located on contractors’ information systems. This unified standard for DoD acquisitions will expand cybersecurity requirements to contractors and their supply chains for the purpose of reducing the impact of advanced persistent threat (APT) attacks.

However, with the coming mandate of CMMC, many companies may be struggling to address the various requirements within the model. Many things have changed between the current standard NIST SP 800–171r1 and CMMC which will require a great deal of work for current contractors. Connect with Cybriant to learn more about our CMMC Guidance.

Read the full article at https://cybriant.com/nist-800-171/

Our cyber risk management services make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.