Companies working in the Defense Industrial Base (DIB) need to meet compliance requirements in order to do business with the government.
Read this guide to learn how to comply with NIST 800-171 and CMMC.
In this guide, learn about the latest changes to CMMC since the announcement of CMMC 2.0 on November 4, 2021.
The deadline to comply with NIST Special Publication (SP) 800-171 became effective December 31, 2017. The latest version, Revision 2, was published in February 2020.
NIST, or the National Institute of Standards and Technology, develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a standard for best practices.
NIST is one of the nation’s oldest physical science laboratories and it is part of the US Department of Commerce. Congress established NIST in 1901 to remove a major challenge to US industrial competitiveness at the time — a second-rate measurement infrastructure that lagged the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at NIST promotes the United States economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.
In the last 30 years, NIST has been a major force behind IT security initiatives. If you do business directly with the government, your contract may include technology requirements for compliance with cybersecurity standards. If you do business indirectly with the government (in service to a prime contractor or another subcontractor), you may also be required to meet certain cybersecurity standards.
With cybersecurity a focal point for all major industries, safeguarding federal supply chains is more important than ever.
Increasingly, cybersecurity laws are going into effect to encourage all businesses to adopt cybersecurity controls.
Companies that provide products and services to the federal government (either directly or indirectly through another supplier) may need to meet certain security mandates set by NIST.
NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain will need to comply.
For many companies, especially small ones not directly doing business with the government, NIST 800-171 is their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53.
The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).
For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.
Unlike previous security mandates which only impacted prime contractors, NIST 800-171 was the first one to impact subcontractors.
Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes.
NIST compliance standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other government agencies or state agencies. This includes contractual agency relationships.
To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.
The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST SP 800-53, which covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary data protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).
When you comply with NIST 800-171, you also meet most of the criteria for NIST 800-53, since NIST 800-171 is a subset of NIST 800-53.
To show compliance with NIST 800-171 and prepare for CMMC, contractors develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal.
These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).
You can meet compliance with NIST 800-171 using any of the following methods:
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard evolved from FAR clause 52.204-21. CMMC was created to increase the security posture of companies operating in government supply chains.
Version 1.0 was released in January 2020 and the creation of CMMC 2.0 was announced in November 2021.
The CMMC 2.0 document will not be available until the CMMC 2.0 rulemaking process is complete, which is expected to take 9-24 months from the time Version 2.0 was announced on November 4, 2021, although an overview of the CMMC 2.0 model was published in December 2021 as well as a mapping spreadsheet.
The Department of Defense has been in the process of gradually migrating from NIST 800-171 to the CMMC framework since January 31, 2020 when Version 1.0 of CMMC was published.
Unlike NIST 800-171 (which had a compliance deadline of December 31, 2017), there is no fixed deadline for when you need to be CMMC compliant. Instead, you will need to meet CMMC compliance when you want to work under a federal contract that requires it.
By October 1, 2025, all new DoD contracts will include CMMC requirements instead of NIST 800-171. This is expected to be a gradual process. Therefore, your CMMC compliance deadline is no later than October 1, 2025. Prior to that, you need to comply with CMMC in order to participate in any new contracts that include the CMMC requirements.
For contracts that include the CMMC requirement, you will not be awarded the contract if you are not certified at the applicable CMMC level at the time of contract award.
Although there are no NIST levels in NIST 800-171, the CMMC framework contains 3 maturity levels.
Although there were 5 levels in Version 1.0 of CMMC, that has changed to 3 levels with the announcement of CMMC 2.0.
from Acquisition & Sustainment, Office of the Under Secretary of Defense
DoD contracts will stipulate to which CMMC level (1, 2, or 3) a supplier must meet.
A subcontractor working for a prime or another subcontractor may not necessarily need to meet the same level as the contractor for which they are working. For example, to win a contract, a contractor may need to be at Level 2, but a supplier to that contractor may only need to be at Level 1.
The method to become certified to CMMC varies based on the level of CMMC you need to meet. The major distinction in CMMC certification is whether you are protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
FCI (Federal Contract Information) is information not intended for public release that the US government provides under a contract to develop or deliver a product or service to the government, but not publicly available information, such as on websites.
CUI (Controlled Unclassified Information) is information the US government creates or possesses that a law, regulation, or government-side policy requires or permits an agency to handle using safeguarding or dissemination controls.
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.
If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”
CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.
Refer to “covered contractor information system” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a) and DFARS 252.204‑7012(b)(2)(ii)(B).
NIST 800-171 and CMMC provide a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.
When evaluating compliance with CMMC (or NIST 800-171), typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.
The 5 levels in CMMC 1.0 have been replaced with 3 levels in CMMC 2.0.
In CMMC 2.0, your method for CMMC compliance varies based on whether you are protecting FCI or CUI, and the priority of the program in which you are participating.
The levels in CMMC 2.0 are based on the security criticality of the information you receive when performing under a contract. Level 2 compliance is harder to meet than Level 1 compliance, and Level 3 compliance is harder to meet than Level 2.
from Acquisition & Sustainment, Office of the Under Secretary of Defense
Level 1 compliance of CMMC requires an annual self-assessment.
To meet CMMC Level 1, you comply with 17 cybersecurity best practices as specified in FAR Clause 52.204-21.
Level 1 companies are protecting FCI, not CUI, and can self-certify. Many small businesses in the Defense Industrial Base (DIB) will only need to meet Level 1 of CMMC.
To meet CMMC Level 1, you upload your assessment into the DoD Supplier Performance Risk System (SPRS) annually. Only senior company officials (CEO, CFO, etc.) can make the CMMC Level 1 attestation to SPRS.
Corserva can assess your compliance to the 17 controls and guide you in submitting your assessment results to the government.
Level 2 compliance of CMMC requires either an annual self-assessment or an outside assessment performed every three years.
The CMMC Accreditation Body (CMMC-AB) has stipulated that companies requiring an outside assessment will need to work with an accredited and independent third-party organization to perform a CMMC assessment. An assessment organization is called a “CMMC Third Party Assessment Organization” or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments and can be found on the website of the CMMC-AB.
To meet CMMC Level 2, you follow the 110 best practices identified in NIST SP 800-171.
Under certain limited circumstances, the DoD will allow POA&Ms to achieve certification.
Companies that can self-certify will be able to use POA&Ms as an acceptable form of remediation for certain CMMC practices. POA&Ms will not be allowed for the highest-weighted requirements of CMMC.
You write POA&Ms (Plans of Actions with Milestones) to document controls to which you don't currently comply and how you plan to make changes to meet those gaps in the future.
Assuming you take the correct approach when developing a POA&M, it can be a valuable tool to improve the company's security posture. Just don't fall into the trap of using a POA&M as a checkmark to compliance. Instead of a procrastination step, your POA&M should be a roadmap to compliance, clearly outlining what steps you plan to take in the future to fully meet compliance.
In addition to POA&Ms, System Security Plans (SSP) can also be helpful on the path to a stronger security posture.
Corserva can create POA&Ms and SSPs for you, as well as perform NIST 800-171 assessments.
A Certified 3rd Party Assessor Organization (C3PAO) is licensed by the CMMC Accreditation Body (CMMC-AB) to perform CMMC assessments. Only those companies listed as C3PAOs on the CMMC-AB Marketplace are authorized to perform C3PAO assessments.
Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO but has not yet completed the process.
Level 2 companies requiring a C3PAO assessment can comply with CMMC as follows:
Level 3 compliance of CMMC requires a government-led assessment every three years.
To meet CMMC Level 3, the company must meet more than 110 best practices based on NIST SP 800-172.
from Acquisition & Sustainment, Office of the Under Secretary of Defense
The CMMC-AB has introduced several roles in support of the CMMC framework.
C3PAOs, LTPs, and LPPs are licensed by the CMMC-AB.
CCAs and CCPs are certified by the CMMC-AB and must pass exams given by LTPs.
RPOs and RPs are registered with the CMMC-AB.
Companies and people with each of these roles are listed in the CMMC-AB Marketplace. If they are not listed there, they are not certified by or registered with the CMMC-AB.
Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO, but has not yet completed the process.
Because CMMC is rolling out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 2 of CMMC.
No existing contracts will have CMMC requirements inserted into them.
CMMC requirements will not be included in any contracts until the DoD completes CMMC 2.0 rulemaking.
Once the rulemaking process is complete (9–24 months from the November 4, 2021 announcement of CMMC 2.0), the requirement for CMMC can be included in new DoD contracts. By October 1, 2025, CMMC will be included in all DoD contracts.
For contracts requiring CMMC, the certification will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171.
CMMC Level 2 is equivalent to NIST 800-171.
Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant.
Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products are not subject to CMMC requirements.
Compliance is not confined to prime contractors. The set of standards for compliance that are outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, NASA, and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.
NIST 800-171 and CMMC not only apply to defense contractors directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.
You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance or CMMC. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).
The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.
(Even for companies not in federal supply chains, there can be advantages to companies who comply with a cybersecurity framework.)
No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.
Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.
For contracts that require subcontractors to meet NIST 800-171 compliance, you may or may not receive direct notification about your need to comply.
Some Corserva clients were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.
Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.
Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.
For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. Certification must be maintained throughout the duration of the contract.
If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").
NIST Special Publication 800-171 is broken out into 14 different security families of IT security requirements. (The 14 domains in the CMMC model align with these families.)
Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?
Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?
Are records kept of authorized and unauthorized access? Can violators be identified?
How are your networks and safety protocols built and documented?
What users are approved to access CUI and how are they verified prior to granting them access?
What’s the process if a data breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.
What timeline exists for routine maintenance, and who is responsible?
How are electronic and hard copy records and backups safely stored? Who has access?
How are employees screened prior to granting them access to CUI?
Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?
Are defenses tested in simulations? Are operations or individuals verified regularly?
Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.
Is information regularly monitored and controlled at key internal and external transmission points?
How quickly are possible threats detected, identified, and corrected?
For NIST 800-171, within each of the 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)
The requirements for NIST 800-171 can be summarized into four main groups.
If you have a firewall solution in place, you may already have a lot of these areas covered.
Chances are good that you already have some mechanisms in place for 'control,' but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:
To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:
A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.
To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:
There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.
To meet the NIST 800-171 mandate, the security measures requirement dictates that you:
A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.
The key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:
Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.
There are two factors that impact what compliance will cost an OSC: changes the OSC will need to make and the cost of any assessments.
Costs to comply with NIST or CMMC will vary based on the size of the organization, what technology you are already using, and how much CUI you have.
Meeting compliance objectives can require process changes and technology changes.
A computer security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.
Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.
An OSC can achieve NIST 800-171 compliance through self-attestation, requiring no third-party assessor, or use an outside provider to perform a NIST assessment.
For CMMC, the cost for potential assessments is based on which level of CMMC you need to meet.
The NIST assessment process should consist of three phases:
At the end of these phases you will have a compliance baseline. There are costs involved in becoming compliant, but you may not need to spend as much as you think.
Many companies already have some of the technology in place required for compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet compliance.
During the assessment process, your information systems environment as relates to specific CUI use cases will be reviewed. You will be asked about different access scenarios. Your policies and procedures regarding IT systems (formal, informal, written) will also be reviewed.
For each requirement, the assessor will rate your company as fully compliant, partially compliant, or not compliant, and include supporting documentation as well as recommendations of what changes to make to become compliant.
Corserva performs NIST assessments for companies needing to meet NIST 800-171.
There are several things you can do to prepare for a CMMC assessment.
CMMC is all about the protection of Controlled Unclassified Information (CUI).
The first step you should take on the path to CMMC compliance is to determine where you have CUI. If a prime contractor or other subcontractor is sending you CUI, try to limit the amount of CUI you receive to only the data required for you to do your work.
The less CUI you have, the easier it will be to protect it.
For an IT system to be CMMC compliant, it must use FIPS validated cryptography to protect data at rest and in transit. A platform that uses FIPS validated cryptography has been submitted to the National Institute of Standards and Technology (NIST) for validation and certification. NIST maintains a list of FIPS validated cryptographic platforms.
When protecting CUI, using the correct processes is as important as the correct technology. You should take a lifecycle approach to security where you define your policies and specify approved procedures to manage CUI within a platform. Moving forward, you need to make sure you are monitoring and validating the systems, then periodically perform a management review.
Don't rush to purchase a compliance tool that purports to make it easy to achieve CMMC compliance. The best technology in the world won't help you if it's not configured properly. CMMC compliance is about technology and processes.
Just like buying a vacuum cleaner doesn't guarantee you will have a clean floor, buying a compliance tool doesn't guarantee you will pass a future audit.
Before purchasing any type of self-analysis tool intended to identify gaps where it is expected you will fall short during a future CMMC assessment, make sure you have the correct expertise in-house to use the tool. We frequently hear feedback from companies that were unable to make use of tools they purchased. Avoid wasting time and money on tools that don't get you much closer to passing a CMMC audit.
Once you have determined the CMMC level to which you need to certify, you can meet internally to identify gaps in your processes and systems that you know need to be corrected. Corserva can help you identify these gaps.
The best way to implement CMMC is to take a security lifecycle approach.
For those companies requiring an outside assessment by a C3PAO, here is a CMMC compliance checklist to meet the CMMC requirements.
Corserva can help you identify and remediate issues that should be corrected before a C3PAO assessment.
For contracts that require compliance with the NIST 800-171 mandate, you can achieve compliance on your own - there is no requirement for any type of outside, third party assessment.
For assistance, there is a wealth of information available online, for free, including the NIST publications themselves.
Additionally, you can reach out to your local Procurement Technical Assistance Center (PTAC). There's one in every state. Manufacturers can also contact their local Manufacturing Extension Partnership (MEP).
Level 1 companies can self-attest to CMMC compliance annually.
Depending on whether the OSC is handling information critical to national security, some Level 2 companies can self-attest to CMMC compliance annually and some Level 2 companies will need a C3PAO assessment every three years.
Level 3 companies must undergo a government-led assessment every three years.
From the NIST assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress.
From NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:
Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.
Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.
The evidence you provide to show CMMC compliance depends on which of the three levels of CMMC you must meet.
NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance with NIST 800-171. But your contracts will be at risk.
There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.
If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.
If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.
For contracts with CMMC requirements, you will be unable to participate in the contract unless you meet the CMMC requirements. In other words, you will be ineligible for award of that contract.
There are no fines associated with non-compliance; however, you will be unable to participate in DoD contracts.
When getting started on becoming compliant with NIST 800-171 or CMMC, ask yourself these questions as a NIST compliance checklist.
Corserva can help you comply with NIST 800-171 or CMMC. We offer:
Corserva can prepare you for a CMMC assessment by a C3PAO.
Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.
As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).
Corserva has created an easy process to enable you to get ready for CMMC and protect your government contracts.
To prepare you for your CMMC assessment, these are the steps we follow:
The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.
Get started today by requesting a quote for CMMC consulting services.
Submit this form to get an assessment for NIST 800-171 or to prepare for a CMMC assessment.