Cybersecurity Maturity Model Certification & NIST Compliance

Corserva blog

As of December 31, 2017, companies that provide parts and services for suppliers serving the government were required to be compliant with the NIST 800-171 mandate. The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the Cybersecurity Maturity Model Certification (CMMC).

NIST Special Publication 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding.

 

The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a "standard" for best practices.

 

Cybersecurity Maturity Model Certification Explained

In an effort for more companies to achieve compliance with NIST 800-171, a new certification was created, Cybersecurity Maturity Model Certification (CMMC). Version 1.0 was released in January 2020, and Version 2.0 was announced in November 2021.

To enhance the cybersecurity posture of companies participating in government supply chains, the Department of Defense is transitioning from the NIST 800-171 mandate to the CMMC framework. By 2026, all new DoD contracts will require compliance with CMMC.

The CMMC is intended to verify compliance in order to protect CUI.

 

How to Comply with NIST 800-171

 

NIST complianceDecember 31, 2017 – That Was Then

Previously, there were two ways to achieve compliance with the NIST 800-171 mandate.

Hire a third-party organization to perform a NIST 800-171 assessment and make recommendations

Perform your own self-assessment and self-attestation


You would then develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents included a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

To help companies perform their own assessments, NIST provided several free, online resources. However, many companies struggled to perform their own assessments and create the documents highlighting what changes needed to be made to achieve NIST compliance and how to make those changes.

 

Cybersecurity Maturity Model Certification (CMMC)2020 – This is Now

In the initial release of CMMC, there was no option for self-attestation.

That has changed with the announcement of Version 2.0 of CMMC.

 

cmmc2-levels-lgv3-1

Can We Do It Ourselves?

Depending on the level of CMMC to which you need to comply and the type of information you are handling in performance of a contract, you may be able to self-attest to CMMC.

 

NIST and CMMC

 

Who Needs to Comply?

All DoD contractors will need to obtain CMMC or comply with NIST 800-171, depending upon the contract under which you are working.

 

When Does This Become Effective?

The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC framework. By October 1, 2025, all new DoD contracts will require compliance with CMMC.

 

What Does This Mean If We Already Achieved NIST 800-171 Compliance?

The goals behind the NIST 800-171 mandate have not changed — to protect CUI within government supply chains. Only the method for providing evidence of compliance has changed, depending on the level of CMMC for which you need to meet.

 

cmmc-levels

 

If you had previously achieved NIST 800-171 compliance, either through a security assessment by a third-party or through your own self-attestation, that work was not in vain. The documents created in the past to achieve compliance will still be of value.

NIST compliance

Gap analysis (reports)

NIST compliance

Plan of Action with Milestones (POA&M)

NIST compliance

System Security Plan (SSP)

 

RPOCMMC Readiness

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).

Corserva has created an easy process to enable you to get ready for a CMMC assessment or self-attest to CMMC.

To prepare you for your CMMC assessment, these are the steps we follow:

  1. Identify the relevant requirements of CMMC you will need to meet.
  2. Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
  3. Create a list of remediation steps to be taken prior to your certification assessment being performed by a C3PAO.

The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote for CMMC readiness.

GET A QUOTE

 

Post Date: November 22, 2019 // 12:45 PM

Topic category:

NIST & CMMC, Cybersecurity

Author:

Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations. In addition to his CISSP certification, Sean is a CMMC-AB Registered Practitioner (RP). He leads Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC.

Share:

   

SUBSCRIBE TO RECEIVE BLOG POSTS

RECENT POSTS

POSTS BY TOPIC

POSTS BY DATE