Cybersecurity Maturity Model Certification & NIST Compliance

NIST compliance

As of December 31, 2017, companies that provide parts and services for suppliers serving the government were required to be compliant with the NIST 800-171 mandate. Starting in 2020, a new certification will be required: Cybersecurity Maturity Model Certification.

NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.


The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a "standard" for best practices.


Cybersecurity Maturity Model Certification Explained

In an effort for more companies to achieve compliance with NIST 800-171, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC). Version 1.0 was released in January 2020.

The Department of Defense is planning to migrate to the new Cybersecurity Maturity Model Certification framework to enhance the cybersecurity posture of companies participating in government supply chains.

The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment. The CMMC is intended to verify compliance in order to protect CUI.


How to Comply with NIST 800-171

NIST complianceDecember 31, 2017 – That Was Then

Previously, there were two ways to achieve compliance with the NIST 800-171 mandate.

Hire a third-party organization to perform a NIST 800-171 assessment and make recommendations

Perform your own self-assessment and self-attestation

You would then develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents included a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

To help companies perform their own assessments, NIST provided several free, online resources. However, many companies struggled to perform their own assessments and create the documents highlighting what changes needed to be made to achieve NIST compliance and how to make those changes.

Cybersecurity Maturity Model Certification (CMMC)2020 – This is Now

The CMMC framework will require all companies seeking NIST 800-171 compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment.

One aspect that is unique to CMMC compared to NIST 800-171 is that CMMC will implement multiple maturity levels that range from 1 to 5.

  • Levels 1 and 2 will only cover parts of NIST 800-171.
  • Level 3 will cover NIST 800-171 plus a few other security controls.
  • Levels 4 and 5 will expand even further to include additional security controls.

Can We Do It Ourselves?

No. Once the CMMC framework goes into effect, there is no longer an option for self-attestation. Work you may have done towards an SSP and POA&M will still be helpful.


Who Needs to Comply with NIST 800-171?

All DoD contractors will need to obtain CMMC.

When Does This Become Effective?

Version 1.0 of the CMMC framework was published and made available to the public in January 2020 with expectations for the CMMC requirement to be included in some DoD contracts starting in late 2020.


barCorserva will be following developments of the CMMC closely, and will continue to keep visitors to our website informed about NIST 800-171 compliance.


What Does This Mean If We Already Achieved NIST 800-171 Compliance?

The goals behind the NIST 800-171 mandate have not changed — to protect CUI within government supply chains. Only the method for providing evidence of compliance has changed.

NIST 800-171 compliance will require a CMMC certification from an independent third-party organization. There is no longer an option for self-attestation.


NIST assessments


If you had previously achieved NIST 800-171 compliance, either through a security assessment by a third-party or through your own self-attestation, that work was not in vain. The documents created in the past to achieve compliance will still be of value.

NIST compliance

Gap analysis (reports)

NIST compliance

Plan of Action with Milestones (POA&M)

NIST compliance

System Security Plan (SSP)


About Corserva

Corserva offers a large portfolio of IT and consulting services. Our team has a very strong focus on IT security assessments, including assessments for NIST 800-171 and NIST 800-53.

To learn more, request a quote to learn what you need to do to become compliant with NIST 800-171 or get ready for CMMC.




Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations.


Questions? We've got answers.