The Definitive Guide to NIST Compliance & CMMC Compliance

The deadline to comply with NIST Special Publication (SP) 800-171 became effective December 31, 2017. The latest version, Revision 2, was published in February 2020.

NIST, or the National Institute of Standards and Technology, develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a standard for best practices.

Companies that provide products and services to the federal government (either directly or indirectly through another supplier) may need to meet certain security mandates set by NIST.

NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain will need to comply.

For many companies, especially small ones not directly doing business with the government, NIST 800-171 is their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53.

The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).

For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.

Unlike previous security mandates which only impacted prime contractors, NIST 800-171 was the first one to impact subcontractors.

Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes.

NIST compliance standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other government agencies or state agencies. This includes contractual agency relationships.

To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.

NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.

The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST SP 800-53, which covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary data protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).

When you comply with NIST 800-171, you also meet most of the criteria for NIST 800-53, since NIST 800-171 is a subset of NIST 800-53.

To show compliance with NIST 800-171 and prepare for CMMC, contractors develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal.

These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

You can meet compliance with NIST 800-171 using any of the following methods:

• Hire an outside vendor to perform a NIST 800-171 assessment.
• Perform your own self-assessment and self-attestation.
• Hybrid of the two methods.

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard evolved from FAR clause 52.204-21. CMMC was created to increase the security posture of companies operating in government supply chains.

Version 1.0 was released in January 2020 and the creation of CMMC 2.0 was announced in November 2021.

The CMMC 2.0 document will not be available until the CMMC 2.0 rulemaking process is complete, which is expected to take 9-24 months from the time Version 2.0 was announced on November 4, 2021, although an overview of the CMMC 2.0 model was published in December 2021 as well as a mapping spreadsheet.

CMMC Compliance Deadline

The Department of Defense has been in the process of gradually migrating from NIST 800-171 to the CMMC framework since January 31, 2020 when Version 1.0 of CMMC was published.

Unlike NIST 800-171 (which had a compliance deadline of December 31, 2017), there is no fixed deadline for when you need to be CMMC compliant. Instead, you will need to meet CMMC compliance when you want to work under a federal contract that requires it.

By October 1, 2025, all new DoD contracts will include CMMC requirements instead of NIST 800-171. This is expected to be a gradual process. Therefore, your CMMC compliance deadline is no later than October 1, 2025. Prior to that, you need to comply with CMMC in order to participate in any new contracts that include the CMMC requirements.

For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the applicable CMMC level at the time of contract award.

Although there are no NIST levels in NIST 800-171, the CMMC framework contains 3 maturity levels.

• Level 1 – Foundational
• Level 2 – Advanced
• Level 3 – Expert

Although there were 5 levels in Version 1.0 of CMMC, that has changed to 3 levels with the announcement of CMMC 2.0.

from Acquisition & Sustainment, Office of the Under Secretary of Defense

DoD contracts will stipulate to which CMMC level (1, 2, or 3) a supplier must meet.

A subcontractor working for a prime or another subcontractor may not necessarily need to meet the same level as the contractor for which they are working. For example, to win a contract, a contractor may need to be at Level 2, but a supplier to that contractor may only need to be at Level 1.

The method to become certified to CMMC varies based on the level of CMMC you need to meet. The major distinction in CMMC certification is whether you are protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

FCI (Federal Contract Information) is information not intended for public release that the US government provides under a contract to develop or deliver a product or service to the government, but not publicly available information, such as on websites.

CUI (Controlled Unclassified Information) is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls.

CUI Defined

CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.

If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”

CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.

Refer to “covered contractor information system” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a) and DFARS 252.204‑7012(b)(2)(ii)(B).

CUI Controls

NIST 800-171 and CMMC provide a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”

Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”

Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.

When evaluating compliance with CMMC (or NIST 800-171), typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.

The 5 levels in CMMC 1.0 have been replaced with 3 levels in CMMC 2.0. 

In CMMC 2.0, your method for CMMC compliance varies based on whether you are protecting FCI or CUI, and the priority of the program in which you are participating.

1. Companies protecting only FCI can self-attest to Level 1 CMMC compliance.
2. Companies protecting CUI in the course of non-prioritized acquisitions can self-attest to Level 2 CMMC compliance.
3. Companies protecting CUI in the course of prioritized acquisitions will require a third-party assessment to meet Level 2 CMMC compliance.
4. Companies protecting CUI in the highest priority programs will require a government-led assessment to meet Level 3 CMMC compliance.

The levels in CMMC 2.0 are based on the security criticality of the information you receive when performing under a contract. Level 2 compliance is harder to meet than Level 1 compliance, and Level 3 compliance is harder to meet than Level 2.

from Acquisition & Sustainment, Office of the Under Secretary of Defense

CMMC Level 1 – Foundational

Level 1 compliance of CMMC requires an annual self-assessment.

To meet CMMC Level 1, you comply with 17 cybersecurity best practices as specified in FAR Clause 52.204-21.

1. Domain: Access Control (AC), AC.L1-3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Domain: Access Control (AC), AC.L1-3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Domain: Access Control (AC), AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems.
4. Domain: Access Control (AC), AC.L1-3.1.22 – Control information posted or processed on publicly accessible information systems.
5. Domain: Identification and Authentication (IA), IA.L1-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
6. Domain: Identification and Authentication (IA), IA.L1-3.5.2 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Domain: Media Protection (MP), MP.L1-3.8.3 – Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Domain: Physical Protection (PE), PE.L1-3.10.1 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Domain: Physical Protection (PE), PE.L1-3.10.3 – Escort visitors and monitor visitor activity.
10. Domain: Physical Protection (PE), PE.L1-3.10.4 – Maintain audit logs of physical access.
11. Domain: Physical Protection (PE), PE.L1-3.10.5 – Control and manage physical access devices.
12. Domain: System and Communications Protection (SC), SC.L1-3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13. Domain: System and Communications Protection (SC), SC.L1-3.13.5 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
14. Domain: System and Information Integrity (SI), SI.L1-3.14.1 – Identify, report, and correct information and information system flaws in a timely manner.
15. Domain: System and Information Integrity (SI), SI.L1-3.14.2 – Provide protection from malicious code at appropriate locations within organizational information systems.
16. Domain: System and Information Integrity (SI), SI.L1-3.14.4 – Update malicious code protection mechanisms when new releases are available.
17. Domain: System and Information Integrity (SI), SI.L1-3.14.5 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Level 1 companies are protecting FCI, not CUI, and can self-certify. Many small businesses in the Defense Industrial Base (DIB) will only need to meet Level 1 of CMMC.

To meet CMMC Level 1, you upload your assessment into the DoD Supplier Performance Risk System (SPRS) annually. Only senior company officials (CEO, CFO, etc.) can make the CMMC Level 1 attestation to SPRS.

Corserva can assess your compliance to the 17 controls and guide you in submitting your assessment results to the government.

CMMC Level 2 – Advanced

Level 2 compliance of CMMC requires either an annual self-assessment or an outside assessment performed every three years.

• Level 2 contractors who do not handle information deemed critical to national security will be able to perform annual self-assessments.
• Level 2 contractors managing information critical to national security will be required to undergo third-party assessments every three years.

The CMMC Accreditation Body (CMMC-AB) has stipulated that companies requiring an outside assessment will need to work with an accredited and independent third-party organization to perform a CMMC assessment. An assessment organization is called a “CMMC Third Party Assessment Organization” or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments and can be found on the website of the CMMC-AB.

To meet CMMC Level 2, you follow the 110 best practices identified in NIST SP 800-171.

Under certain limited circumstances, the DoD will allow POA&Ms to achieve certification.

Self-Certification for Level 2 CMMC Compliance

Companies that can self-certify will be able to use POA&Ms as an acceptable form of remediation for certain CMMC practices. POA&Ms will not be allowed for the highest-weighted requirements of CMMC.

You write POA&Ms (Plans of Actions with Milestones) to document controls to which you don't currently comply and how you plan to make changes to meet those gaps in the future.

Assuming you take the correct approach when developing a POA&M, it can be a valuable tool to improve the company's security posture. Just don't fall into the trap of using a POA&M as a checkmark to compliance. Instead of a procrastination step, your POA&M should be a roadmap to compliance, clearly outlining what steps you plan to take in the future to fully meet compliance.

In addition to POA&Ms, System Security Plans (SSP) can also be helpful on the path to a stronger security posture.

Corserva can create POA&Ms and SSPs for you, as well as perform NIST 800-171 assessments.

C3PAO Assessments for Level 2 CMMC Compliance

A Certified 3rd Party Assessor Organization (C3PAO) is licensed by the CMMC Accreditation Body (CMMC-AB) to perform CMMC assessments. Only those companies listed as C3PAOs on the CMMC-AB Marketplace are authorized to perform C3PAO assessments.

Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO but has not yet completed the process.

Level 2 companies requiring a C3PAO assessment can comply with CMMC as follows:

1. Prepare for your CMMC assessment by performing a self-assessment or working with a partner. Corserva's CMMC expert advisors can help you with audit preparation.
2. Visit the CMMC-AB Marketplace to research potential C3PAOs. Only C3PAOs listed on the CMMC-AB Marketplace are authorized by the CMMC-AB to perform assessments.
3. Hire a C3PAO to perform a CMMC assessment for you.
4. The C3PAO will create an assessment report and if there are no deficiencies, issue a CMMC certificate.
5. The C3PAO will submit a copy of the assessment report and CMMC certificate to the DoD, which is valid for 3 years. This final step completes the requirement for CMMC compliance.

CMMC Level 3 – Expert

Level 3 compliance of CMMC requires a government-led assessment every three years.

To meet CMMC Level 3, the company must meet more than 110 best practices based on NIST SP 800-172.

from Acquisition & Sustainment, Office of the Under Secretary of Defense

The CMMC-AB has introduced several roles in support of the CMMC framework.

• Certified 3rd Party Assessor Organization (C3PAO) – Companies that are certified by the CMMC-AB to perform CMMC assessments. These are the only companies authorized to perform assessments.
• Certified CMMC Assessor (CCA) – People working for a C3PAO performing CMMC assessments.
• Certified CMMC Professional (CCP) – People working for a C3PAO who can participate in a CMMC assessment led by a CCA.
• Licensed Training Provider (LTP) – Companies that train assessors to perform CMMC assessments. Certified assessors can only be trained by LTPs.
• Licensed Partner Publisher (LPP) – Companies that create the training materials for LTPs.
• Registered Provider Organization (RPO) – Companies that have registered with the CMMC-AB to provide consulting advice and CMMC readiness services to Organizations Seeking Compliance (OSC).
• Registered Practitioner (RP) – People working for an RPO who have registered with the CMMC-AB.

C3PAOs, LTPs, and LPPs are licensed by the CMMC-AB.

CCAs and CCPs are certified by the CMMC-AB and must pass exams given by LTPs.

RPOs and RPs are registered with the CMMC-AB.

Companies and people with each of these roles are listed in the CMMC-AB Marketplace. If they are not listed there, they are not certified by or registered with the CMMC-AB.

Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO, but has not yet completed the process. 

Because CMMC is rolling out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect.

Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 2 of CMMC.

No existing contracts will have CMMC requirements inserted into them.

CMMC requirements will not be included in any contracts until the DoD completes CMMC 2.0 rulemaking.

Once the rulemaking process is complete (9–24 months from the November 4, 2021 announcement of CMMC 2.0), the requirement for CMMC can be included in new DoD contracts. By October 1, 2025, CMMC will be included in all DoD contracts.

For contracts requiring CMMC, the certification will be needed at the time of the award.

You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171.

CMMC Level 2 is equivalent to NIST 800-171.

Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant.

Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products are not subject to CMMC requirements.

Compliance is not confined to prime contractors. The set of standards for compliance that are outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, NASA, and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.

NIST 800-171 and CMMC not only apply to defense contractors directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?

Flow Down Clauses

Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.

You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance or CMMC. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).

The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.

(Even for companies not in federal supply chains, there can be advantages to companies who comply with a cybersecurity framework.)

Is It Only Manufacturers That Must Comply?

No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.

Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.

NIST 800-171

For contracts that require subcontractors to meet NIST 800-171 compliance, you may or may not receive direct notification about your need to comply.

Some Corserva clients were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.

Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.

Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.

CMMC

For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. Certification must be maintained throughout the duration of the contract.

If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").

NIST Special Publication 800-171 is broken out into 14 different security families of IT security requirements. (The 14 domains in the CMMC model align with these families.)

1. Access Control

Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?

2. Awareness & Training

Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?

3. Audit & Accountability

Are records kept of authorized and unauthorized access? Can violators be identified?

4. Configuration Management

How are your networks and safety protocols built and documented?

5. Identification & Authentication

What users are approved to access CUI and how are they verified prior to granting them access?

6. Incident Response

What’s the process if a data breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.

7. Maintenance

What timeline exists for routine maintenance, and who is responsible?

8. Media Protection

How are electronic and hard copy records and backups safely stored? Who has access?

9. Personnel Security

How are employees screened prior to granting them access to CUI?

10. Physical Protection

Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?

11. Risk Assessment

Are defenses tested in simulations? Are operations or individuals verified regularly?

12. Security Assessment

Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.

13. Systems & Communications Protection

Is information regularly monitored and controlled at key internal and external transmission points?

14. System & Information Integrity

How quickly are possible threats detected, identified, and corrected?

Summary of NIST Requirements

For NIST 800-171, within each of the 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)

The requirements for NIST 800-171 can be summarized into four main groups.

1. Controls – Data management controls and processes
2. Monitoring & management – Real time monitoring/management of defined IT systems
3. End user practices – Documented, well defined end user practices and procedures
4. Security measures – Implementation of defined security measures

If you have a firewall solution in place, you may already have a lot of these areas covered.

Controls Requirement

Chances are good that you already have some mechanisms in place for 'control,' but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:

• Assess and develop appropriate security controls
• Develop formal policies and procedures
• Create and maintain audit records regarding access to CUI
• Securely transmit data including encryption
• Encrypt data at rest

Monitoring & Management Requirement

To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:

• Monitor and manage user access to information systems
• Authenticate users and utilize multi-factor authentication
• Establish an operational incident management process
• Patch critical systems and scan for vulnerabilities
• Deploy antivirus/malware solutions and monitor activity
• Monitor network traffic for malicious activity

A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.

End User Practices Requirement

To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:

• Provide training and awareness to end users and system administrators on proper procedures for handling CUI
• Have management define and execute minimum password complexity compliance

There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.

Security Measures Requirement

To meet the NIST 800-171 mandate, the security measures requirement dictates that you:

• Assess and develop appropriate security controls
• Securely back up CUI
• Create and enforce policies to prevent unauthorized software
• Identify, track, and restrict access to network/application ports (firewall/systems)

A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.

NIST 800-171 Overview

The key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:

1. Assess – Evaluate the current situation
2. Design – Create the necessary changes in the system
3. Deploy – Implement those changes
4. Manage – Continue to manage the system to maintain compliance

Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.

There are two factors that impact what compliance will cost an OSC: changes the OSC will need to make and the cost of any assessments.

Costs for Changes to Be Made

Costs to comply with NIST or CMMC will vary based on the size of the organization, what technology you are already using, and how much CUI you have.

Meeting compliance objectives can require process changes and technology changes.

A computer security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.

Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.

Costs for NIST and CMMC Assessments

An OSC can achieve NIST 800-171 compliance through self-attestation, requiring no third-party assessor, or use an outside provider to perform a NIST assessment.

For CMMC, the cost for potential assessments is based on which level of CMMC you need to meet.

• Level 1 companies (and some Level 2 companies) can self-attest to CMMC
• Level 2 companies that are handling information critical to national security in performance of a contract will require an assessment to be performed by a C3PAO
• Level 3 companies will require a government-led assessment

The NIST assessment process should consist of three phases:

1. Business process review
2. Technical assessment of systems and networks
3. Data analysis

At the end of these phases you will have a compliance baseline. There are costs involved in becoming compliant, but you may not need to spend as much as you think.

Many companies already have some of the technology in place required for compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet compliance.

Questions You Will Be Asked

During the assessment process, your information systems environment as relates to specific CUI use cases will be reviewed. You will be asked about different access scenarios. Your policies and procedures regarding IT systems (formal, informal, written) will also be reviewed.

For each requirement, the assessor will rate your company as fully compliant, partially compliant, or not compliant, and include supporting documentation as well as recommendations of what changes to make to become compliant.

Corserva performs NIST assessments for companies needing to meet NIST 800-171.

There are several things you can do to prepare for a CMMC assessment.

Isolate CUI

CMMC is all about the protection of Controlled Unclassified Information (CUI).

The first step you should take on the path to CMMC compliance is to determine where you have CUI. If a prime contractor or other subcontractor is sending you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.

The less CUI you have, the easier it will be to protect it.

Use Proper Encryption

For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit. A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms.

Manage CUI with Defined Policies and Procedures

When protecting CUI, using the correct processes is as important as the correct technology. You should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within a platform. Moving forward, you need to make sure you are monitoring and validating the systems, then periodically perform a management review.

Avoid the Shopping Cart Approach

Don't rush to purchase a compliance tool that purports to make it easy to achieve CMMC compliance. The best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.

Just like buying a vacuum cleaner doesn't guarantee you will have a clean floor, buying a compliance tool doesn't guarantee you will pass a future audit.

Before purchasing any type of self-analysis tool intended to identify gaps where it is expected you will fall short during a future CMMC assessment, make sure you have the correct expertise in-house to use the tool. We frequently hear feedback from companies that were unable to make use of tools they purchased. Avoid wasting time and money on tools that don't get you much closer to passing a CMMC audit.

Identify Gaps

Once you have determined the CMMC level to which you need to certify, you can meet internally to identify gaps in your processes and systems that you know need to be corrected. Corserva can help you identify these gaps.

The best way to implement CMMC is to take a security lifecycle approach.

For those companies requiring an outside assessment by a C3PAO, here is a CMMC compliance checklist to meet the CMMC requirements.

1. Select which level of certification you need (1–3).
2. Within your organization, implement the changes required to comply with the CMMC level.
3. After implementation, evaluate if you are meeting the requirements.
4. Select a C3PAO in the CMMC-AB Marketplace to perform a CMMC assessment.
5. The C3PAO assigns a Certified Assessor, and then performs the assessment of your organization.
   If there are any assessment findings, you will need to fix them first, before achieving certification.
6. After you pass the CMMC assessment, the C3PAO submits the assessment report to the DoD.
7. The C3PAO issues a CMMC certificate to you, which is valid for three years.

Corserva can help you identify and remediate issues that should be corrected before a C3PAO assessment.

NIST 800-171

For contracts that require compliance with the NIST 800-171 mandate, you can achieve compliance on your own - there is no requirement for any type of outside, third party assessment.

For assistance, there is a wealth of information available online, for free, including the NIST publications themselves.

• NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

Additionally, you can reach out to your local Procurement Technical Assistance Center (PTAC). There's one in every state. Manufacturers can also contact their local Manufacturing Extension Partnership (MEP).

CMMC

Level 1 companies can self-attest to CMMC compliance annually.

Depending on whether the OSC is handling information critical to national security, some Level 2 companies can self-attest to CMMC compliance annually and some Level 2 companies will need a C3PAO assessment every three years.

Level 3 companies must undergo a government-led assessment every three years.  

NIST 800-171

From the NIST assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress.

From NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:

Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.

Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.

CMMC

The evidence you provide to show CMMC compliance depends on which of the three levels of CMMC you must meet.

1. To meet CMMC Level 1, you upload your assessment into the DoD Supplier Performance Risk System (SPRS) annually. Only senior company officials (CEO, CFO, etc.) can make the CMMC Level 1 attestation to SPRS.
2. CMMC Level 2 companies can either self-attest or pass an outside assessment, depending on whether the company is handling information critical to national security. Level 2 companies that require an outside assessment must hire a C3PAO to perform an assessment every 3 years. The C3PAO submits the assessment to the CMMC-AB for review. Under certain limited circumstances, the DoD will allow POA&Ms to achieve certification.
3. To meet CMMC Level 3, you must pass a government-led assessment every 3 years.

NIST 800-171

NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance with NIST 800-171. But your contracts will be at risk.

There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.

If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.

If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.

CMMC

For contracts with CMMC requirements, you will be unable to participate in the contract unless you meet the CMMC requirements. In other words, you will be ineligible for award of that contract.

There are no fines associated with non-compliance; however, you will be unable to participate in DoD contracts.

When getting started on becoming compliant with NIST 800-171 or CMMC, ask yourself these questions as a NIST compliance checklist.

About Your Business

Industry and people

• Is there an InfoSec policy in place?
• What physical security do you have?
• Have you done any type of cybersecurity assessments in the past?
• How many employees do you have?
• How many workstations (if not all employees have computers)?
• Is everyone in one location or do you have multiple locations?

About Your Assets

Workstations and networks

• What type of physical equipment do you have within your network?
• How many end user workstations?
• How many servers?
• What operating systems are you running?
• Is there any type of encryption in place?
• What are you using for email?
• Which applications are you using, both on-premise and cloud-based?
• Do you have any firewalls?
• How is your network connected to the internet?
• Do you have a DMZ (demilitarized zone)?
• How many printers do you have and how are they accessed?
• What are you doing for backup?

About Your Data

The format of data and how it is accessed

• How does CUI enter your organization and in what format?
• How many of your users have access to CUI?
• In which systems and applications is the CUI stored?
• How is CUI accessed by staff?
• How is CUI shared amongst staff?
• Is CUI accessed by remote staff?
• Is CUI transmitted to other entities, and if so, how?

Corserva can help you comply with NIST 800-171 or CMMC. We offer:

• Pre-assessment CMMC readiness services
• NIST 800-171 assessments
• Technical remediation to correct gaps in compliance
• Customized cybersecurity programs

Corserva can prepare you for a CMMC assessment by a C3PAO.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).

Corserva has created an easy process to enable you to get ready for CMMC and protect your government contracts.

To prepare you for your CMMC assessment, these are the steps we follow:

1. Identify the relevant requirements of CMMC you will need to meet.
2. Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
3. Create a list of remediation steps you need to take before hiring a C3PAO to perform a CMMC assessment.

The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote for CMMC consulting services.