Let’s Talk About NIST 800-171 & CMMC

 

NIST 800-171 Rev. 2 & CMMC 2.0 are cybersecurity frameworks aimed at improving and standardizing security practices in businesses, especially those handling sensitive government data and contracts. The Department of Defense (DoD) will soon mandate full compliance for contractors and subcontractors, extending to downstream vendors and suppliers within the DoD supply chain.

 

• NIST 800-171 Rev. 2 is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” and is required in Defense Federal Acquisition Regulation Suppliment (DFARS) Clause 252.204-7012 for contractors and subcontractors to implement NIST 800-171 if Controlled Unclassified Information (CUI) is handled by your company in any way. DFARS Clause 252.204-7019, gives Notice of NIST SP 800-171 Assessment Requirements, which was released along with DFARS clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 is titled: "Notice of NIST SP 800-171 DoD Assessment Requirements" and requires contractors to notify the Department of Defense (DoD) if they have not implemented all of the security requirements specified in NIST Special Publication 800-171, which outlines standards for protecting sensitive information.

 

• CMMC 2.0 is largely based on the NIST 800-171 standards:

  • CMMC 2.0 (Cybersecurity Maturity Model Certification):

    • CMMC 2.0 is a framework developed by the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of defense contractors and subcontractors.

    • It consists of 3 tiered levels, each with increasingly stringent cybersecurity requirements. They are Level 1) Fundamental, Level 2) Advanced, and Level 3) Expert.

    • CMMC 2.0 specifies controls and practices necessary to protect CUI and other sensitive information, ensuring that defense contractors meet the cybersecurity standards required for handling DoD contracts.

  • NIST SP 800-171:

    • NIST Special Publication 800-171 provides a set of security requirements designed to protect CUI in non-federal systems and organizations.

    • It outlines 14 families of security requirements covering various aspects of information security, including access control, encryption, incident response, and physical security.

    • NIST 800-171 serves as the foundation for CMMC 2.0, with CMMC 2.0 incorporating additional requirements and maturity levels beyond those outlined in NIST 800-171.

 

• CMMC certification is mandated by DFARS 252.204-7021 and is titled: "Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Program" and requires contractors to achieve and maintain a specific level of cybersecurity maturity certification as specified by the CMMC 2.0 program to be eligible for award of DoD contracts. 

 

• CMMC & NIST 800-171 both focus on safeguarding and protecting CUI.

 

• If your business processes, stores, or transmits CUI in any way, you will need to comply with both CMMC 2.0 and NIST 800-171 Rev. 2. Here are several reasons: 

  • Legal and Regulatory Requirements: Both CMMC and NIST 800-171 are mandated by the U.S. Department of Defense (DoD) for contractors and subcontractors who handle CUI. Compliance with these frameworks is not only a contractual requirement but also a legal obligation for organizations seeking to engage in business with the DoD.

  • Comprehensive Security Measures: CUI includes sensitive information that, while not classified, requires protection due to its confidentiality, integrity, or availability requirements. CMMC 2.0 and NIST 800-171 provide comprehensive sets of security controls and practices specifically tailored to safeguarding CUI against unauthorized access, disclosure, and modification.

  • Risk Management: Compliance with CMMC 2.0 and NIST 800-171 helps mitigate cybersecurity risks associated with handling CUI. By implementing the included security controls and best practices, organizations can better protect their sensitive data from cyber threats, therefore reducing the likelihood of security breaches, data loss, or unauthorized access.

  • Contractual Obligations: Many contracts issued by the DoD and other government agencies in the near future will require contractors to demonstrate compliance with cybersecurity standards such as CMMC 2.0 and NIST 800-171 as a condition of contract award and continued eligibility. Failure to comply with these requirements can result in contract penalties, termination, or disqualification from future contract opportunities.

  • Customer Expectations: Beyond regulatory mandates, compliance with CMMC 2.0 and NIST 800-171 demonstrates a commitment to cybersecurity best practices and instills confidence in customers, partners, and stakeholders. Adhering to recognized cybersecurity frameworks enhances your organization's reputation and credibility in the marketplace.

.

• Some of the benefits of compliance include:

  • Better cybersecurity posture

  • Competitive advantage

  • Risk mitigation

  • Enhanced business opportunities

  • Increased customer confidence

• Failure to comply can result in::

  • Legal liabilities

  • Damage to your company’s reputation

  • Missed business opportunities

  • Financial losses

  • Cybersecurity incidents, data breaches

 

• The deadline for NIST 800-171 was December 31, 2017.

 

• Inflating your Supplier Performance Risk System (SPRS) score could make you susceptible to the False Claims Act. 

 

• CMMC requirements are expected to start appearing on contracts as soon as Q1 2025 but that is still to be determined. 

​

Conclusion

Following a long wait, the CMMC 2.0 proposed rule outlines the operation of the three-tiered certification program, but a final rule may take months, possibly a year, due to expected comments' complexity and volume. The comment period closed on February 26, 2024, welcoming input from contractors seeking clarification or influencing the final rule's issuance.

​