A Blog for Best Practices in Technology

CMMC vs NIST 800-171 Compliance

Written by Lisa DeVoto | July 14, 2020

Since the end of 2017, all subcontractors working within Department of Defense (DoD) supply chains were required to comply with the NIST 800-171 mandate. Since then, the Cybersecurity Maturity Model Certification (CMMC) has been published. Suppliers need to understand the differences between NIST 800-171 and CMMC and how they impact DoD contracts under which they work.

Controlling Unclassified Information

As described in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors must protect unclassified information, which is Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

NIST 800-171

NIST Special Publication (SP) 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor. The NIST 800-171 mandate provides guidance as to how CUI should be accessed, shared, and stored.

CMMC

CMMC is a new unified cybersecurity standard created by the DoD to increase the security posture of companies operating in DoD supply chains. CMMC is being rolled out gradually and will eventually replace NIST 800-171.

Differences Between NIST 800-171 and CMMC

Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By October 1, 2025, all new DoD contracts will require CMMC.

Suppliers working under multiple contracts may comply with NIST 800-171 on some contracts and CMMC on others.

NIST 800-171 was about compliance, whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal – to protect information.

Effective Dates

NIST 800-171As of December 31, 2017, all DoD suppliers were expected to be in compliance with NIST 800-171.

CMMC

Version 1.0 of the document was released in January 2020, with a minor update to Version 1.02 in March 2020. Version 2.0 was announced in November 2021. The DoD is gradually transitioning from NIST 800-171 to CMMC, and by October 1, 2025, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.

Methods of Compliance

NIST 800-171

Compliance with NIST 800-171 can be achieved on your own or with the help of an outside company. Self-attestation is possible.

CMMC

To meet CMMC, you can either self-attest, or you may be required to pass an assessment performed by an outside company (C3PAO) which will submit the assessment report to the CMMC-AB (CMMC Accreditation Body) for approval. Whether or not you can self-attest to CMMC varies based on the CMMC level you must comply with and the type of information you need to protect in fulfilling a contract.

Security Requirements

NIST 800-171
There are 14 families of requirements in NIST 800-171, and across the 14 families are a total of 110 individual requirements.
CMMC
The CMMC model comprises 14 domains that align with the families specified in NIST SP 800-171.

Levels

NIST 800-171

There are no levels in NIST 800-171.

CMMC

There are three maturity levels in CMMC.

Proof of Compliance

NIST 800-171

To comply with NIST 800-171, you submit your System Security Plan (SSP) and Plan of Action with Milestones (POA&M) to your DoD prime contractor or subcontractor at the time of contract initiation or renewal (or when asked to produce them). These documents serve as proof of compliance.

CMMC

For CMMC, you either self-attest or you may need an assessment by a third-party assessment company (C3PAO). The method for CMMC compliance varies based on the CMMC level. For self-assessments, a senior officer of your company is required to upload your self-attestation to the DoD Supplier Risk System (SPRS). For companies requiring C3PAO assessments, the C3PAO submits the assessment report to the CMMC-AB for approval. The approved assessment report is proof of compliance and is needed before the contract can be awarded.

How Does This Impact Bidding?

NIST 800-171

Under NIST 800-171, as long as you had created SSPs and POA&Ms, you could bid on, win, and even start working on contracts. You wouldn't need to provide those documents until asked for them by your prime.

CMMC
For CMMC, if a C3PAO assessment is required, you must be able to pass the assessment performed by the C3PAO to win a contract. There may be some allowance for POA&M items, which would need to be addressed by a specific date. If at the time of the assessment you do not pass, it is expected there will be a grace period of 90 days during which you can implement changes to receive certification. It is only after you have made those changes that the C3PAO will submit your assessment to the CMMC-AB for approval.

How Do I Know If I Need to Comply?

NIST 800-171

For NIST 800-171, you may receive notification from a prime or subcontractor via mail or email. Or, you might be notified via messages you see when logging into a portal that you use for procurement or order management. You may or may not receive direct notification about your need to comply. Keep in mind that if you receive no notification, this does not mean you do not need to comply. It's possible the notification was sent, but the correct person to receive it never saw it.

CMMC

For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").

Costs to Comply

NIST 800-171
If you have the internal security staff and the time, compliance with NIST 800-171 can be achieved completely internally using free resources and documents available from the government. You can also use an outside partner to perform the assessment, develop the SSP and POA&M for you, and perform the needed remediation work.
CMMC

If you need a C3PAO assessment, there will be some cost for the assessment by the C3PAO. Costs will depend upon several factors. If you can self-attest to CMMC, you can do this internally or use the services of an outside partner to help you self-attest.

Self-Attestation

NIST 800-171

Yes, self-attestation is possible with NIST 800-171.

CMMC

Level 1 CMMC companies can self-attest. Some Level 2 CMMC companies can self-attest, and some will require C3PAO assessments. All Level 3 companies will require a government-led assessment.

Required Evidence

NIST 800-171

Compliance with NIST 800-171 requires that you create documents such as SSPs and POA&Ms.

CMMC

The approval of an assessment submitted by the C3PAO to the CMMC-AB for review constitutes evidence of CMMC for those companies needing an assessment. Companies that can self-attest make the attestation in SPRS.

Get Ready for CMMC

There are steps you can take now to get ready for CMMC. Contact Corserva to learn how to get ready for CMMC.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO), and we are listed on the CMMC-AB Marketplace.