Since the end of 2017, all subcontractors working within Department of Defense (DoD) supply chains were required to comply with the NIST 800-171 mandate. Since then, the Cybersecurity Maturity Model Certification (CMMC) has been published. Suppliers need to understand the differences between NIST 800-171 and CMMC and how they impact DoD contracts under which they work.
Controlling Unclassified Information
As described in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors must protect unclassified information, which is Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
NIST Special Publication (SP) 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor. The NIST 800-171 mandate provides guidance as to how CUI should be accessed, shared, and stored.
CMMC is a new unified cybersecurity standard created by the DoD to increase the security posture of companies operating in DoD supply chains. CMMC is being rolled out gradually and will eventually replace NIST 800-171.
Differences Between NIST 800-171 and CMMC
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By October 1, 2025, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may comply with NIST 800-171 on some contracts and CMMC on others.
NIST 800-171 was about compliance, whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal – to protect information.
NIST 800-171As of December 31, 2017, all DoD suppliers were expected to be in compliance with NIST 800-171.
Version 1.0 of the document was released in January 2020, with a minor update to Version 1.02 in March 2020. Version 2.0 was announced in November 2021. The DoD is gradually transitioning from NIST 800-171 to CMMC, and by October 1, 2025, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.
Methods of Compliance
Compliance with NIST 800-171 can be achieved on your own or with the help of an outside company. Self-attestation is possible.
To meet CMMC, you can either self-attest, or you may be required to pass an assessment performed by an outside company (C3PAO) which will submit the assessment report to the CMMC-AB (CMMC Accreditation Body) for approval. Whether or not you can self-attest to CMMC varies based on the CMMC level you must comply with and the type of information you need to protect in fulfilling a contract.
NIST 800-171There are 14 families of requirements in NIST 800-171, and across the 14 families are a total of 110 individual requirements.
CMMCThe CMMC model comprises 14 domains that align with the families specified in NIST SP 800-171.
There are no levels in NIST 800-171.
There are three maturity levels in CMMC.
Proof of Compliance
To comply with NIST 800-171, you submit your System Security Plan (SSP) and Plan of Action with Milestones (POA&M) to your DoD prime contractor or subcontractor at the time of contract initiation or renewal (or when asked to produce them). These documents serve as proof of compliance.
For CMMC, you either self-attest or you may need an assessment by a third-party assessment company (C3PAO). The method for CMMC compliance varies based on the CMMC level. For self-assessments, a senior officer of your company is required to upload your self-attestation to the DoD Supplier Risk System (SPRS). For companies requiring C3PAO assessments, the C3PAO submits the assessment report to the CMMC-AB for approval. The approved assessment report is proof of compliance and is needed before the contract can be awarded.
How Does This Impact Bidding?
Under NIST 800-171, as long as you had created SSPs and POA&Ms, you could bid on, win, and even start working on contracts. You wouldn't need to provide those documents until asked for them by your prime.
CMMCFor CMMC, if a C3PAO assessment is required, you must be able to pass the assessment performed by the C3PAO to win a contract. There may be some allowance for POA&M items, which would need to be addressed by a specific date. If at the time of the assessment you do not pass, it is expected there will be a grace period of 90 days during which you can implement changes to receive certification. It is only after you have made those changes that the C3PAO will submit your assessment to the CMMC-AB for approval.
How Do I Know If I Need to Comply?
For NIST 800-171, you may receive notification from a prime or subcontractor via mail or email. Or, you might be notified via messages you see when logging into a portal that you use for procurement or order management. You may or may not receive direct notification about your need to comply. Keep in mind that if you receive no notification, this does not mean you do not need to comply. It's possible the notification was sent, but the correct person to receive it never saw it.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
Costs to Comply
NIST 800-171If you have the internal security staff and the time, compliance with NIST 800-171 can be achieved completely internally using free resources and documents available from the government. You can also use an outside partner to perform the assessment, develop the SSP and POA&M for you, and perform the needed remediation work.
If you need a C3PAO assessment, there will be some cost for the assessment by the C3PAO. Costs will depend upon several factors. If you can self-attest to CMMC, you can do this internally or use the services of an outside partner to help you self-attest.
Yes, self-attestation is possible with NIST 800-171.
Level 1 CMMC companies can self-attest. Some Level 2 CMMC companies can self-attest, and some will require C3PAO assessments. All Level 3 companies will require a government-led assessment.
Compliance with NIST 800-171 requires that you create documents such as SSPs and POA&Ms.
The approval of an assessment submitted by the C3PAO to the CMMC-AB for review constitutes evidence of CMMC for those companies needing an assessment. Companies that can self-attest make the attestation in SPRS.
Get Ready for CMMC
There are steps you can take now to get ready for CMMC. Contact Corserva to learn how to get ready for CMMC.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the CMMC-AB Marketplace.