If you are a US defense or government supplier — or if you are a subcontractor selling to a government supplier — you may need to meet certain security mandates. NIST Special Publication (SP) 800-53 and NIST SP 800-171 are two common mandates with which companies working within the federal supply chain may need to comply. The Cybersecurity Maturity Model Certification (CMMC) was also created to enhance the cybersecurity posture of companies participating in government supply chains.
(This guide was last updated on May 7, 2020. Changes will be made during 2020 as more information about CMMC becomes available from the Department of Defense, so check back frequently.)
The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a standard for best practices.
NIST is one of the nation’s oldest physical science laboratories and it is part of the US Department of Commerce. Congress established NIST in 1901 to remove a major challenge to US industrial competitiveness at the time—a second-rate measurement infrastructure that lagged the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at NIST promotes the United States economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.
In the last 30 years, NIST has been a major force behind IT security initiatives. If you do business directly with the government, your contract may include technology requirements for compliance with cybersecurity standards. If you do business indirectly with the government (in service to a prime contractor or another subcontractor), you may also be required to meet certain cybersecurity standards.
With cybersecurity a focal point for all major industries, safeguarding federal supply chains is more important than ever.
Companies that provide products and services to the federal government (either directly or indirectly through another supplier) may need to meet certain security mandates set by the National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain may need to comply.
For many companies, especially small ones not directly doing business with the government, NIST 800-171 may be their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53. The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirements for NIST 800-53 compliance is included in their federal contracts).
NIST 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.
NIST 800-171 first became effective December 31, 2017. Revision 2 was published in February 2020.
Unlike previous security mandates which only impacted prime contractors, NIST 800-171 is the first one to impact subcontractors. Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal or state agencies. This includes contractual agency relationships.
To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.
The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST SP 800-53, which covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).
When you comply with NIST 800-171, you also meet most of the criteria for NIST 800-53, since NIST 800-171 is a subset of NIST 800-53.
Methods of compliance with NIST 800-171 are as follows:
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.
The Department of Defense is planning to migrate from NIST 800-171 to the CMMC framework later in 2020.
CMMC is to be rolled out gradually and will eventually replace NIST 800-171 compliance. Starting in September 2020, we will start to see CMMC requirements included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
Learn more about CMMC:
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With this framework, there is no longer an option for self-attestation.
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.
These levels will capture both security control and the processes that enhance a company's cybersecurity. DoD contracts will stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. It is expected that a company will need to meet both the processes and practices to meet a given level.
A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
It is expected that most small businesses will need to meet either Level 1 or Level 2.
Safeguard Federal Contract Information (FCI)
Serve as transition step in cybersecurity maturity progression to protect CUI
Protect CUI and reduce risk of Advanced Persistent Threats (APT)
Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.
Protect CUI and reduce risk of APTs
Requires an organization to take corrective action towards improving process implementation across the organization.
Increases the depth and sophistication of cybersecurity capabilities.
The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments. The requirements for becoming a C3PAO are not yet established, and there are no approved C3PAO companies yet.
Companies operating in federal supply chains need to be certified by a third-party organization (C3PAO) who will assess the company's level of compliance with Cybersecurity Maturity Model Certification (CMMC). DoD contracts specify to which level a company must comply (levels 1-5). CMMC will be introduced in new RFIs and RFPs starting in 2020. By 2026, all DoD contracts will include CMMC instead of NIST 800-171.
With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.
The process to achieve certification is expected to be as follows:
It is expected that the effectiveness of certification will last for 3 years, at which point companies will be able to renew their certification.
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. Starting in September 2020, CMMC requirements will be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. The certification to win a contract will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal - to protect information.
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems. If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”
CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information. In performance of a subcontract, if you anticipate operating a “covered contractor information system,” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a), then ask yourself:
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”
As defined in the National Archives:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.
To comply with the NIST 800-171 mandate, companies must undertake a review, or assessment, of their critical systems as they relate to CUI. To become certified to CMMC, companies must select an approved C3PAO to perform an assessment.
Typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.
It can become complex very quickly.
To show compliance with NIST 800-171, contractors develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
Although these documents will be of value to companies in strengthening their security posture, these documents are not sufficient for CMMC compliance. In other words, having a written plan to meet compliance (but not yet executing that plan) will no longer be enough.
This will be an advantage to those companies who do meet CMMC requirements. Companies that have developed a POA&M to meet all 110 controls in NIST 800-171 may not currently be meeting all of them and in the past, they could compete with other companies who had taken the effort to meet all the controls. Meeting CMMC requirements will be a competitive advantage.
With CMMC, there is no option for self-attestation. The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment for certification. CMMC standards will be required at the time of contract award.
There is no POA&M with CMMC.
However, the development of SSPs and POA&Ms offers value to companies for internal planning purposes.
Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.
Companies that solely produce Commerical-Off-The-Shelf (COTS) products do not require CMMC.
Compliance is not confined to prime contractors. The compliance standards outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, or NASA and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.
NIST 800-171 and CMMC not only apply to manufacturers directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.
You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).
The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.
No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.
Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.
For contracts that require subcontractors to meet NIST 800-171 compliance, you may or may not receive direct notification about your need to comply.
Some manufacturers that Corserva has worked with were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.
Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.
Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
The original NIST Special Publication 800-171 was broken out into 14 different security families of IT security requirements. (In CMMC, the requirements are called category domains and include 17.)
Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?
Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?
Are records kept of authorized and unauthorized access? Can violators be identified?
How are your networks and safety protocols built and documented?
What users are approved to access CUI and how are they verified prior to granting them access?
What’s the process if a breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.
What timeline exists for routine maintenance, and who is responsible?
How are electronic and hard copy records and backups safely stored? Who has access?
How are employees screened prior to granting them access to CUI?
Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?
Are defenses tested in simulations? Are operations or individuals verified regularly?
Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.
Is information regularly monitored and controlled at key internal and external transmission points?
How quickly are possible threats detected, identified, and corrected?
Within each of these 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)
The requirements for NIST 800-171 can be summarized into four main groups.
If you have a firewall solution in place, you may already have a lot of these areas covered.
Chances are good that you already have some mechanisms in place for ‘control,’ but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:
To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:
A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.
To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:
There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.
To meet the NIST 800-171 mandate, the security measures requirement dictates that you:
A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.
At this point, you might feel as if your head is spinning. But the key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:
Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.
The requirements for NIST 800-171 and CMMC have some similarities, especially at the first three levels of CMMC.
Each of the 17 domains across CMMC consists of a set of processes and capabilities across the 5 levels.
Costs to comply with NIST will vary based on the size of the organization, what technology you are already using, and how much CUI you have.
In general, assessments by an outside party for very small organizations can start in the $5,000 – $7,500 range. Costs will scale up based on number of employees, number of physical locations, and number of systems that must be assessed. When using an outside vendor, implementation of any changes needed to become compliant based on findings in the assessment will be priced separately.
The two main areas that will impact costs are processes and technology. A security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.
Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.
It is unknown what the costs will be for companies to achieve CMMC. The DoD has stated:
"The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive."
Allowable costs are expenses specified in a contract that can be billed to the DoD.
CMMC assessment costs will depend upon several factors including to which level the certification is needed.
Once the DoD establishes requirements for becoming a C3PAO, more information will be available. You can find answers to other frequently asked questions on the CMMC website.
The assessment process should consist of three phases:
At the end of these phases you will have a compliance baseline. There are costs involved in becoming compliant, but you may not need to spend as much as you think.
Many companies already have some of the technology in place required for compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet compliance.
During the assessment process, your information systems environment as relates to specific CUI use cases will be reviewed. You will be asked about different access scenarios. Your policies and procedures regarding IT systems (formal, informal, written) are reviewed.
For each requirement, the assessor will rate your company as fully compliant, partially compliant, or not compliant, and include supporting documentation as well as recommendations of what changes to make to become compliant.
For contracts that require compliance with the NIST 800-171 mandate, you can achieve compliance on your own - there is no requirement for any type of outside, third party assessment.
For assistance, there is a wealth of information available online, for free, including the NIST publications themselves.
Additionally, you can reach out to your local Procurement Technical Assistance Center (PTAC). There's one in every state. Manufacturers can also contact their local Manufacturing Extension Partnership (MEP).
For contracts that stipulate contractors must meet CMMC, you cannot achieve certification on your own. There is no option for self-attestation.
You will need to select an accredited C3PAO to perform a CMMC assessment for certification.
From the assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress.
From NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:
Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.
Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.
For contracts that stipulate contractors must meet CMMC, you need to engage a C3PAO to perform an assessment for certification.
After the assessment, the C3PAO will submit the assessment to the CMMC Accreditation Body for review.
NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance. But your contracts will be at risk.
There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.
If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.
If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
For contracts subject to CMMC, you will be unable to participate in the contract unless you meet the CMMC requirements. In other words, you will be ineligible for award of that contract.
There are no fines associated with non-compliance; however, you will be unable to participate in DoD contracts.
To become compliant, there are several questions you should start thinking about.
Submit this form to learn how to comply with NIST 800-171 and CMMC.