If you are a business or IT leader for a government contractor or subcontractor, you are likely well aware of the requirement to be NIST 800-171 certified.
The next step in cybersecurity compliance is CMMC 2.0. You may be wondering what the new standards will require of your organization and whether NIST 800-171 compliance means you are covered.
In my role as manager, engineering services, at Kelser Corporation, I regularly answer questions like these. Having been in the IT industry for more than 8 years, my experience puts me in a good position to provide the information you need.
After you read this article, you’ll have all of the information you need to feel confident in your preparation for CMMC 2.0. And, you’ll have a concrete next step to prepare your organization for CMMC 2.0 compliance.
What Is NIST 800-171?
The Federal Information Security Management Act (FISMA), signed into law in 2002 (and updated in 2014), defines a comprehensive framework to protect government information, operations, and assets against threats.
In June 2015, the National Institute of Standards and Technology (NIST) created Special Publication 800-171 to provide a framework for protecting controlled unclassified information (CUI).
CUI is unclassified information that is created or possessed by the U.S. Government or an entity on behalf of the Government that is relevant to the interests of the United States and requires safeguarding from unauthorized disclosure.
Examples include design diagrams or technical drawings for parts to be made specifically for products to be provided to the federal government or personally identifiable information (PII) used in the performance of federal government contracts.
For certain government agencies, a revised set of rules for NIST compliance took effect in 2017.
Related article: What Is NIST 800-171? What Do I Need To Do? How Is It Tied To CMMC?
What Is CMMC 2.0?
CMMC 2.0 is the latest iteration of a Department of Defense (DoD) initiative to enhance cybersecurity protection standards for manufacturers in the U.S. Defense Industrial Base (DIB).
In particular, CMMC 2.0 is designed to protect sensitive information, specifically CUI and federal controlled information (FCI), shared by DoD with contractors and subcontractors.
Requirements for CMMC 2.0 compliance could begin showing up in contracts as early as May 2023.
How Is CMMC 2.0 Different From NIST 800-171?
Here’s the good news: if you have implemented NIST 800-171, you have taken important first steps toward CMMC 2.0 compliance.
CMMC takes the requirements a step further by requiring organizations working as part of the U.S. Defense Industrial Base (DIB) and accessing CUI or FCI to adhere to the 14 controls outlined in NIST 800-171.
What Are The 14 Controls That Appear In Both NIST 800-171 And CMMC 2.0?
The CMMC 2.0 framework is based on 14 controls spelled out in NIST 800-171:
-
- Access control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
While only a few of these areas are relevant to Level 1, they are all relevant to Levels 2 and 3.
Each level of certification represents increased levels of cybersecurity compliance and potential capability with more total controls across domains required for certification at Levels 2 and 3.
So, if you are NIST 800-171 certified does that mean you are done? Not exactly, but you have a solid start.
What Is The First Step Toward CMMC 2.0 Compliance?
The very first thing to do (after achieving NIST 800-171 compliance) is to review all of your government-related contracts and subcontracts. Determine whether or not you work with CUI or FCI.
Any company that possesses FCI, will need to achieve Level 1 (Foundational) CMMC 2.0 certification, even if they don’t handle CUI.
Most organizations that handle CUI will require Level 2 (Advanced) CMMC 2.0 certification. Level 3 (Expert) CMMC 2.0 certification is reserved for organizations that work with CUI on the DoD’s highest priority programs.
Related article: What’s In The CMMC 2.0 Framework? 14 Controls & 3 Certification Levels
What’s Next?
The next step is to determine (based on your contracts) which level to target for CMMC certification. Find out what’s required for compliance at that level and work toward that.
Keep in mind that the required controls represent a minimum standard. They don’t cover every possible cybersecurity solution. For example, CMMC doesn’t require that you back up your data, but backups are a key element of your company’s overall cybersecurity strategy.
By reading this article, you have a complete understanding of how NIST 800-171 compliance will help you prepare for CMMC 2.0 and the 14 control families that are common between the two.
It’s important to stay one step ahead when it comes to cybersecurity and compliance issues. By starting now, (if you haven’t already,) you’re heading toward a more secure future.
I know it can feel like a moving target, but that’s because the technology and threats are constantly changing. Rather than considering cybersecurity a hassle, think of it as a challenge and remind yourself that the security of your organization’s data is at risk. CMMC requirements don’t need to be overwhelming and will be less onerous the sooner you start.
Not sure if your organization is ready for CMMC 2.0? Click the button below, download the free checklist, and learn 5 steps you can take to prepare now for the CMMC 2.0 requirements.
