Since the end of 2017, all subcontractors working within Department of Defense (DoD) supply chains were required to comply with the NIST 800-171 mandate. Since then, the Cybersecurity Maturity Model Certification (CMMC) has been published. Suppliers need to understand the differences between NIST 800-171 and CMMC and how they impact DoD contracts under which they work.
As described in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors must protect unclassified information, which is Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
NIST Special Publication (SP) 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor. The NIST 800-171 mandate provides guidance as to how CUI should be accessed, shared, and stored.
CMMC is a new unified cybersecurity standard created by the DoD to increase the security posture of companies operating in DoD supply chains. CMMC is being rolled out gradually and will eventually replace NIST 800-171.
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By October 1, 2025, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may comply with NIST 800-171 on some contracts and CMMC on others.
NIST 800-171 was about compliance, whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal – to protect information.
NIST 800-171As of December 31, 2017, all DoD suppliers were expected to be in compliance with NIST 800-171.
Version 1.0 of the document was released in January 2020, with a minor update to Version 1.02 in March 2020. Version 2.0 was announced in November 2021. The DoD is gradually transitioning from NIST 800-171 to CMMC, and by October 1, 2025, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.
Compliance with NIST 800-171 can be achieved on your own or with the help of an outside company. Self-attestation is possible.
To meet CMMC, you can either self-attest, or you may be required to pass an assessment performed by an outside company (C3PAO) which will submit the assessment report to the CMMC-AB (CMMC Accreditation Body) for approval. Whether or not you can self-attest to CMMC varies based on the CMMC level you must comply with and the type of information you need to protect in fulfilling a contract.
There are no levels in NIST 800-171.
There are three maturity levels in CMMC.
To comply with NIST 800-171, you submit your System Security Plan (SSP) and Plan of Action with Milestones (POA&M) to your DoD prime contractor or subcontractor at the time of contract initiation or renewal (or when asked to produce them). These documents serve as proof of compliance.
For CMMC, you either self-attest or you may need an assessment by a third-party assessment company (C3PAO). The method for CMMC compliance varies based on the CMMC level. For self-assessments, a senior officer of your company is required to upload your self-attestation to the DoD Supplier Risk System (SPRS). For companies requiring C3PAO assessments, the C3PAO submits the assessment report to the CMMC-AB for approval. The approved assessment report is proof of compliance and is needed before the contract can be awarded.
Under NIST 800-171, as long as you had created SSPs and POA&Ms, you could bid on, win, and even start working on contracts. You wouldn't need to provide those documents until asked for them by your prime.
For NIST 800-171, you may receive notification from a prime or subcontractor via mail or email. Or, you might be notified via messages you see when logging into a portal that you use for procurement or order management. You may or may not receive direct notification about your need to comply. Keep in mind that if you receive no notification, this does not mean you do not need to comply. It's possible the notification was sent, but the correct person to receive it never saw it.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
If you need a C3PAO assessment, there will be some cost for the assessment by the C3PAO. Costs will depend upon several factors. If you can self-attest to CMMC, you can do this internally or use the services of an outside partner to help you self-attest.
Yes, self-attestation is possible with NIST 800-171.
Level 1 CMMC companies can self-attest. Some Level 2 CMMC companies can self-attest, and some will require C3PAO assessments. All Level 3 companies will require a government-led assessment.
Compliance with NIST 800-171 requires that you create documents such as SSPs and POA&Ms.
The approval of an assessment submitted by the C3PAO to the CMMC-AB for review constitutes evidence of CMMC for those companies needing an assessment. Companies that can self-attest make the attestation in SPRS.
There are steps you can take now to get ready for CMMC. Contact Corserva to learn how to get ready for CMMC.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the CMMC-AB Marketplace.