NIST 800-171 vs CMMC 2.0: DoD supply chain requirements
By Matt Malarkey | Date published: 02 December 2021
Within a short period, NIST updated Special Publication 800-171, the Cybersecurity Maturity Model Certification (CMMC) framework was published, and the DoD introduced new compliance reporting requirements. So organizations need to take urgent action to achieve and evidence compliance with their legally required cybersecurity requirements in order to maintain their eligibility to work on DoD contracts.
While NIST 800-171 and CMMC are two different sets of cybersecurity controls, the new CMMC 2.0 framework is heavily influenced by the NIST Special Publication’s requirements.
What is NIST 800-171?
A part of the US Department of Commerce, the National Institute for Standards and Technology (NIST) is a US government agency that, amongst other things, develops cyber security standards, guidelines and best practices. It develops them to enhance and ensure the ongoing cybersecurity of public and private sector IT networks, therefore protecting US national security interests. Accordingly, NIST have produced a series of publications that list out controls and requirements that federal agencies and commercial entities either must or are advised to utilize.
First published in December 2015, NIST Special Publication 800-171 was introduced to standardize and protect sensitive, but unclassified, government data that resides in private sector IT networks, and thus outside of the federal government’s purview. It is specifically designed to safeguard Controlled Unclassified Information (CUI), and an obligation to comply with the publication’s requirements is stipulated in the contract between a contractor and the government.
So any organization that processes or stores CUI on behalf of the US government is required to be compliant with NIST 800-171. These would typically include the likes of DoD and NASA contractors, labs and research institutions in receipt of federal funding, as well as service providers to the US government. Updated most recently in February 2020, the NIST 800-71 publication contains 110 requirements, each of which mitigates cybersecurity vulnerabilities or strengthens an element of the network.
The application of each requirement ensures an organization’s systems, network, and employees are properly prepared to safely handle CUI. Compliance with NIST 800-171 by contractors who handle sensitive information helps strengthen the federal supply chain and protect government data. It also ensures a unified baseline standard of cybersecurity for all contractors, and their respective subcontractors, who have access to CUI.
While compliance has not been historically audited and enforced, as of late 2020, the DoD now requires its supply chain to upload NIST 800-171 compliance scores into the Supplier Performance Risk System (SPRS). This is a stopgap measure to track defense contractors’ compliance with NIST 800-171 until the new CMMC program is fully rolled out, which is expected to be complete by 2025.
The new Titania Nipper NIST-800-171 module can reduce time, resource, and workload pressure by automating your compliance assessments and providing a report with information on any issues found and any applicable evidence.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a program established by the US Department of Defense to assure the cybersecurity of the defense industrial base (DIB), through establishing a clear requirements framework for contractors. The DIB supply chain includes more than 300,000 companies, all of which are responsible for protecting sensitive, but unclassified, government data under the CMMC.
Following a review by the Biden Administration, the CMMC pilot program was recently suspended and the revised CMMC 2.0 model announced. At first, CMMC 2.0 will go through a rulemaking process, before the DoD begins implanting it in contracts where federal contract information (FCI) or CUI is involved in the fulfillment of the contract.
The CMMC 2.0 framework is composed of three levels of cybersecurity maturity, with each level building on the prior levels. It consists of various practices and processes and draws heavily on NIST 800-171.
The three levels in the CMMC 2.0 model are as follows:
- Level 1 – Foundational (17 security practices)
- Level 2 – Advanced (110 security practices, which reflect the 110 requirements in NIST 800-171)
- Level 3 – Expert (currently under development, but expected to incorporate NIST 800-172)
The earlier version of CMMC required both prime contractors and their subcontractors to be certified as fully compliant at the appropriate CMMC level – as defined in RFPs – before award and commencement of the work.
However, in CMMC 2.0, the acceptance of Plan of Action and Milestones (PoAM) reports was announced, meaning that contractors who do not fully comply could be allowed to initiate work on a contract whilst committing in detail how they will meet any unfulfilled requirements in the future. This latest version also allows waivers to CMMC requirements under certain limited circumstances.
As DoD contractors rely on sub-contractors from around the world, many international organizations may find themselves now subject to CMMC compliance rules.
What is the main difference between NIST standards and CMMC?
Until recently, NIST 800-171 compliance was required but not officially audited by the government or any third-party body, leaving US government contractors responsible for implementing and ensuring compliance with the requirements. While compliance is now monitored for DoD contractors, assessments are still their responsibility, and scores must be uploaded into the SPRS. For US government contractors subject to NIST 800-171 outside of the DoD, there is no requirement to submit any type of compliance reporting.
The CMMC compliance process differs from this. No third-party audit is required for level 1, and whether or not an external or self-assessment is required at level 2 will be determined based on the nature of the contract and the information handled. Although the practices for level 3 have not been fully defined yet, they will be based on NIST 800-172 and will require triennial government-led assessments.
For organizations working towards CMMC compliance, or preparing for their official assessment for level 2 or level 3, tools are available to measure and evidence compliance with the security practices of the CMMC framework. The Titania Nipper CMMC module is the first CMMC auditing tool that produces assessor-ready reports.
These reports also help prioritize the remediation of issues based on ease of fix and impact and likelihood of exploitation. Lastly, Nipper enables teams to rapidly address misconfigurations and issues raised as areas of non-compliance through the provision of the exact technical fixes required to secure the device and ensure ongoing compliance.
Nipper is a valuable tool for those with NIST 800-171 and CMMC compliance requirements. Request a free trial to see how the software can benefit your organization.
Achieve compliance with up to 89% of CMMC core network security practices across 9 domains, with Nipper.