NIST Special Publication (SP) 800-171 and Cybersecurity Maturity Model Certification (CMMC) are two common mandates with which companies working within the federal supply chain may need to comply, and they were designed to enhance the cybersecurity posture of companies participating in government supply chains.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed in the CMMC-AB Marketplace.
(This guide was last updated on February 1, 2021. Changes will continue to be made to this guide as new information about CMMC becomes available, so check back frequently.)
For many companies, especially small ones not directly doing business with the government, NIST 800-171 may be their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53. The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).
For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.
NIST 800-171 first became effective December 31, 2017. Revision 2 was published in February 2020.
Learn more in the blog post:
"Revision 2 of NIST SP 800-171 is Released"
Unlike previous security mandates which only impacted prime contractors, NIST 800-171 was the first one to impact subcontractors. Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal or state agencies. This includes contractual agency relationships.
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.
Learn more in the blog post:
"CMMC Version 1.0 is Released"
Since 2020, the Department of Defense is in the process of migrating from NIST 800-171 to the CMMC framework.
CMMC is rolling out gradually and will eventually replace NIST 800-171 compliance. CMMC requirements are included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By 2026, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. The certification to win a contract will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems. If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”
CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.
Refer to “covered contractor information system” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a) and DFARS 252.204‑7012(b)(2)(ii)(B).
NIST 800-171 and CMMC provide a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”
As defined in the National Archives:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.
To comply with the NIST 800-171 mandate, companies must undertake a review, or assessment, of their critical systems as they relate to CUI. To become certified to CMMC, companies must select an approved C3PAO to perform an assessment.
Typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.
It can become complex very quickly.
To show compliance with NIST 800-171, contractors develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
Although SSPs and POA&Ms will be of value to companies in strengthening their security posture, these documents are not sufficient for CMMC. In other words, having a written plan to meet compliance (but not yet executing that plan) is not sufficient for CMMC.
This more stringent requirement will be an advantage to those companies who do meet CMMC requirements. Companies that have developed a POA&M to meet all 110 controls in NIST 800-171 may not currently be meeting all of them. Before CMMC, those companies could compete with other companies who had taken the effort to meet all the controls. Therefore, meeting CMMC requirements will be a competitive advantage.
With CMMC, there is no option for self-attestation. The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment for certification. CMMC certification will be required at the time of contract award and must remain in effect for the duration of the contract. If a company's certification expires during the contract, the company will need to recertify to CMMC.
There is no POA&M with CMMC.
However, the development of SSPs and POA&Ms offers value to companies for internal planning purposes.
Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.
Companies that solely produce Commerical-Off-The-Shelf (COTS) products are not subject to CMMC requirements.
Compliance is not confined to prime contractors. The compliance standards outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, NASA, and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.
NIST 800-171 and CMMC not only apply to manufacturers directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.
You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance or CMMC. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).
The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.
No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.
Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.
For contracts that require subcontractors to meet NIST 800-171 compliance, you may or may not receive direct notification about your need to comply.
Some manufacturers that Corserva has worked with were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.
Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.
Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. Certification must be maintained throughout the duration of the contract.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
NIST Special Publication 800-171 is broken out into 14 different security families of IT security requirements. (In CMMC, the requirements are called category domains and include 17.)
Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?
Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?
Are records kept of authorized and unauthorized access? Can violators be identified?
How are your networks and safety protocols built and documented?
What users are approved to access CUI and how are they verified prior to granting them access?
What’s the process if a breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.
What timeline exists for routine maintenance, and who is responsible?
How are electronic and hard copy records and backups safely stored? Who has access?
How are employees screened prior to granting them access to CUI?
Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?
Are defenses tested in simulations? Are operations or individuals verified regularly?
Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.
Is information regularly monitored and controlled at key internal and external transmission points?
How quickly are possible threats detected, identified, and corrected?
For NIST 800-171, within each of the 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)
The requirements for NIST 800-171 can be summarized into four main groups.
If you have a firewall solution in place, you may already have a lot of these areas covered.
Chances are good that you already have some mechanisms in place for 'control,' but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:
To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:
A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.
To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:
There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.
To meet the NIST 800-171 mandate, the security measures requirement dictates that you:
A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.
The key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:
Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.
The requirements for NIST 800-171 and CMMC have some similarities, especially at the first three levels of CMMC.
Each of the 17 domains across CMMC consists of a set of processes and capabilities across the 5 levels.
These are the steps you should take to meet the CMMC requirements.
Corserva can remediate issues identified during an assessment.
We also offer CMMC readiness services to help you with steps #2 and #3 when preparing for a CMMC assessment.
Corserva can prepare you for a CMMC assessment by a C3PAO.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts.
To prepare you for your CMMC assessment, these are the steps we follow:
The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.
Get started today by requesting a quote for CMMC readiness.
