NIST 800-171 versus CMMC

NIST 800-171 versus CMMC

Since the end of 2017, all subcontractors working within Department of Defense (DoD) supply chains were required to comply with the NIST 800-171 mandate. Since then, the Cybersecurity Maturity Model Certification (CMMC) has been published. Suppliers need to understand the differences between NIST 800-171 and CMMC and how they impact DoD contracts under which they are working.

Controlling Unclassified Information

As described in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors must protect unclassified information, which is Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

 

NIST 800-171

NIST Special Publication (SP) 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor. The NIST 800-171 mandate provides guidance as to how CUI should be accessed, shared, and stored.

 

CMMC

CMMC is a new unified cybersecurity standard created by the DoD to increase the security posture of companies operating in DoD supply chains. CMMC is being rolled out gradually and will eventually replace NIST 800-171.

 

Differences Between NIST 800-171 and CMMC

Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. It is expected that starting in 2020, CMMC will be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.

 

overlap-1

 

Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others.

NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal – to protect information.

 

Effective Dates

NIST 800-171

As of December 31, 2017, all DoD suppliers were expected to be in compliance with NIST 800-171.

⇒ CMMC

As of July 14, 2020, there are no DoD contracts that require CMMC – yet. Version 1.0 of the document was released in January 2020 with a minor update to Version 1.02 in March 2020. It is expected that CMMC will be required in some contracts starting sometime in 2020 and that by 2026, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. 

 

Methods of Compliance

NIST 800-171

Compliance with NIST 800-171 can be achieved on your own or with the help of an outside company. Self-attestation is possible.

⇒ CMMC

To meet CMMC, you must pass an assessment performed by an outside company (C3PAO) who will submit the assessment report to the CMMC-AB (CMMC Accreditation Body) for approval.

 

Security Requirements

NIST 800-171

There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements.

⇒ CMMC

There are a total of 171 cybersecurity best practices across 17 capability domains in CMMC.

 

Levels

NIST 800-171

There are no levels in NIST 800-171.

⇒ CMMC

There are five maturity levels in CMMC. Levels 1–3 encompass the 110 security requirements specified in NIST 800-171. You can think of NIST 800-171 as the foundation for CMMC. For DoD contracts with CMMC requirements, it is expected most companies will need to meet Level 1, 2, or 3.

 

NIST and CMMC

 

Proof of Compliance

NIST 800-171

To comply with NIST 800-171, you submit your System Security Plan (SSP) and Plan of Action with Milestones (POA&M) to your DoD prime contractor or subcontractor at the time of contract initiation or renewal (or when asked to produce them). These documents serve as proof of compliance.

⇒ CMMC

For CMMC, after assessment by a third party assessment company (C3PAO), the C3PAO submits the assessment report to the CMMC-AB for approval. The approved assessment report serves as proof of compliance and is needed before the contract can be awarded.

 

How Does This Impact Bidding?

NIST 800-171

Under NIST 800-171, as long as you had created SSPs and POA&Ms, you could bid on, win, and even start working on contracts. You wouldn't need to provide those documents until asked for them by your prime.

⇒ CMMC

For CMMC, you must be able to pass the assessment performed by the C3PAO to win a contract. A POA&M describing what changes you plan to make to become compliant is not sufficient. If at the time of the assessment you do not pass, it is expected there will be a grace period of 90 days during which you can implement changes to receive certification. It is only after you have made those changes that the C3PAO will submit your assessment to the CMMC-AB for approval. 

 

How Do I Know If I Need to Comply?

NIST 800-171

For NIST 800-171, you may receive notification from a prime or subcontractor via mail or email. Or, you might be notified via messages you see when logging into a portal that you use for procurement or order management. You may or may not receive direct notification about your need to comply. Keep in mind that if you receive no notification, this does not mean you do not need to comply. It's possible the notification was sent but the correct person to receive it never saw it.

⇒ CMMC

For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").

 

Section C

 

Section L

 

Costs to Comply

NIST 800-171

If you have the internal security staff and the time, compliance with NIST 800-171 can be achieved completely internally using free resources and documents available from the government. You can also use an outside partner to perform the assessment and even develop the SSP and POA&M for you, as well as perform the needed remediation work.

⇒ CMMC

For CMMC, there will be some cost for the assessment by the C3PAO but it is unknown at this point what that will be. Costs will depend upon several factors including to which level the certification is needed (1–5).

 

Self-Attestation

NIST 800-171

Yes, self-attestation is possible with NIST 800-171.

⇒ CMMC

No, there is no option for self-attestation with CMMC.

 

"The Definitive Guide to Compliance with the NIST 800-171 Mandate & CMMC"
>>> GET THE GUIDE NOW <<<

 

Required Evidence

NIST 800-171

Compliance with NIST 800-171 requires that you create documents such as SSPs and POA&Ms.

⇒ CMMC

The approval of an assessment submitted by the C3PAO to the CMMC-AB for review constitutes evidence of CMMC.

 

Get Ready for CMMC

There are steps you can take now to get ready for CMMC. Contact Corserva to learn how to get ready for CMMC.

Schedule a NIST/CMMC call

Topic category:

NIST & CMMC

Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She has written on various technology topics including disaster recovery, IT services, and enterprise software. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.

Share:

   

Questions? We've got answers.

CONTACT US