Business leaders have a lot on their plates. There’s inflation concerns, staffing issues, supply chain disruptions, customer relationship management, and ongoing IT challenges—to name just a few. Regulatory compliance requirements only add to the already lengthy list.
So, how do you know whether cybersecurity compliance regulations like NIST SP 800-171 apply to your business? If you are, do you also need to become CMMC 2.0 compliant?
In this article, we’ll explain NIST SP 800-171 and provide guidance on which organizations are affected by the federal cybersecurity regulation. We'll also discuss CMMC 2.0 as it relates to NIST SP 800-171.
After reading this article, you’ll have a better understanding of where you stand in your compliance journey for NIST and/or CMMC 2.0 and what steps you can take from here.
At Kelser, we partner with organizations like yours every day to keep your IT infrastructures secure, available, and efficient. We offer a full suite of managed IT solutions that keep businesses running smoothly. Having said that, we understand that managed IT is not the best option for every organization.
Rather than sell you our services, we publish articles like these to provide relevant information business leaders like you can use to make the best IT decision for your business.
As a small business ourselves, we think it’s imperative that you have straightforward information to help keep your business running strong—whether you work with us or not.
We know this may be an unusual approach, but it has worked well for us for more than 40 years, and we expect that to continue!
Just to clarify the origins of the regulation, here’s some background. In 2003, the Federal Information Security Management Act (FISMA) was enacted.
This law authorized the National Institute of Standards and Technology (NIST) as the agency charged with developing the security framework for ensuring the integrity, security, and availability of controlled unclassified information (CUI) and federal contract information (FCI) handled by non-federal organizations.
Subsequently, NIST adopted Special Publication 800-171 (NIST SP 800-171), encompassing 110 security standards organized into 14 control families. The regulation is still being tweaked periodically, and is now on its third revision (published in May 2004).
CUI is sensitive, but not classified information that is created by or for the U.S. Government. It is data that, being relevant to our critical infrastructure, requires more robust safeguarding from unauthorized disclosure.
Examples of CUI include controlled technical information (CTI) language, such as design diagrams or technical drawings for a military aircraft, financial data, or certain personally identified information (PII).
The regulation casts a wide net, being applied broadly to any non-federal organization that processes, stores, or transmits CUI in the course of carrying out their contract.
This means that organizations that don’t have direct ties to the government, including subcontractors, must still meet the security requirements “flowed down” from their prime contractors.
For instance, NIST SP 800-171 applies to prime manufacturing contractors and subcontractors for various federal agencies such as NASA (National Aeronautics and Space Administration), the DoD (Department of Defense), and the GSA (General Services Administration.
Other affected entities can include:
If you’re wondering whether your organization needs to comply with NIST SP 800-171, you first need to determine if you process, store, or transmit CUI.
Related Article: How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC
If so, then you are required to meet the guidelines outlined in NIST 800-171.
If you're not sure, ask yourself these questions:
If you answer yes to any of the above questions, NIST 800-171 likely applies to your organization.
On the other hand, if your organization produces a commercial, off-the shelf (COTS) product that is sold to both government and non-government entities, your business is likely not required to comply with NIST requirement.
That said, even you aren't required to become compliant, your business could still benefit from implementing some of the basic cyber hygiene measures outlined in the regulation to boost your security defenses.
Related Article: What Does Vulnerability Scanning Tell You About Your Network Security?
Keep in mind that although the government is responsible for marking CUI, if you’re uncertain about whether certain unmarked information is considered CUI, you can check with your prime if you’re a subcontractor.
Primes should review the language in their contracts, and, if necessary, reach out to the federal agency that awarded your contract for clarification.
Failure to comply could affect your ability to work with these agencies, including possibly losing your contracts and preventing you from bidding on others.
What's more, organizations that misrepresent compliance could face substantial fines and penalties under the False Claims Act.
Cybersecurity Maturity Model Certification (CMMC) is the next step in compliance requirements for defense contractors and subcontractors.
CMMC 2.0 differs from NIST 800-171 in several key ways.
For starters, while NIST SP 800-171 doesn’t apply to just federal contractors, CMMC 2.0 was created specifically to strengthen the DoD’s supply chain.
The regulation is meant to enforce compliance to ensure that all organizations within the Defense Industrial Base (DIB) are doing everything they can to protect the sensitive federal data they store, process, or transmit.
Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks
CMMC is a mix of several different security regulations and frameworks, including NIST SP 800-171, NIST SP 800-172, DFARS (Defense Federal Acquisition Regulation Supplement), and FAR (Federal Acquisition Regulation).
The CMMC Final Rule, which went into effect in December, creates a three-tiered system for compliance and assessment standards that organizations must meet to become CMMC compliant and get certified. The requirements become more stringent at each higher level.
Level 1 only applies to contractors and subcontractors handling FCI, and it requires that they meet basic cybersecurity requirements. Businesses at Level 2 must implement security measures to satisfy the 110 security controls of NIST SP 800-171.
Level 2 organizations will need to get assessed every three years; most will be required to have the assessment performed by a certified third-party assessor organization (C3PAO).
Related Article: How to Cut CMMC Compliance & C3PAO Audit Costs: Grants, MSPs & More
To guard against advanced persistent threats (APTs), Level 3 businesses must meet the most strenuous security requirements, including implementing additional security controls from NIST SP 800-172 and undergoing a federal CMMC audit.
Businesses at all levels must annually re-attest ongoing CMMC compliance.
In this article, we’ve defined NIST 800-171 and identified the organizations that need to achieve compliance.
We’ve provided questions you can use to determine if NIST 800-171 applies to your organization. We’ve explained what can happen if you don’t comply and we’ve discussed the next step in compliance.
Whether or not your organization is required to comply with NIST 800-171 and CMMC 2.0, both provide a comprehensive framework you can use to keep your organization’s data safe. By going beyond compliance, you can ensure that you’ve taken steps to protect the business and customer relationships you’ve worked so hard to develop.
As we mentioned earlier, failure to become compliant could damage your relationship with the government, putting your existing contracts in jeopardy and leaving you ineligible to win others.
If you don’t have the internal IT personnel with the specialized skills and regulatory knowledge to lead your compliance journey, you may be considering managed IT support. If so, we encourage you to compare several providers to see which is the best fit for your organization.
If you are ready to move forward in your compliance journey but need help figuring out your next steps, click the button to schedule a no-obligation CMMC readiness consultation.