NIST Compliance and CMMC

If you are a US defense or government supplier — or if you are a subcontractor selling to a government supplier — you may need to meet the NIST Special Publication (SP) 800-171 mandate or Cybersecurity Maturity Model Certification (CMMC). 

The Department of Defense is gradually transitioning from the NIST 800-171 mandate to the CMMC framework. By 2026, all new DoD contracts will require compliance with CMMC.

The contract under which you are working will tell you whether you need to meet NIST 800-171 or CMMC.

What does NIST stand for?

NIST, or The National Institute of Standards and Technology, develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a standard for best practices.

The NIST 800-171 Mandate

For many companies, especially small ones not directly doing business with the government, NIST 800-171 may be their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53.

The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).

For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.

NIST 800-171 Timeline

NIST 800-171 first became effective December 31, 2017. Revision 2 was published in February 2020.

Learn more in the blog post:
"Revision 2 of NIST SP 800-171 is Released"

Unlike previous security mandates which only impacted prime contractors, NIST 800-171 was the first one to impact subcontractors. Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other government agencies or state agencies. This includes contractual agency relationships.

NIST Guidelines

To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.

NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.

The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST SP 800-53, which covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary data protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).

When you comply with NIST 800-171, you also meet most of the criteria for NIST 800-53, since NIST 800-171 is a subset of NIST 800-53.

How to Comply with NIST 800-171

You can meet compliance with NIST 800-171 using any of the following methods:

1. Hire an outside vendor to perform a NIST 800-171 assessment.
2. Perform your own self-assessment and self-attestation.
3. Hybrid of the two methods.

The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.

Learn more in the blog post:
"CMMC Version 1.0 is Released"

Since 2020, the Department of Defense is in the process of migrating from NIST 800-171 to the CMMC framework.

CMMC is rolling out gradually and will eventually replace NIST 800-171 compliance. CMMC requirements are included in some RFPs, and by 2026, all new DoD contracts will require CMMC.

You can learn more about CMMC by reading the documents:

• Cybersecurity Maturity Model Certification (CMMC), Version 1.02
• CMMC Appendices

No More Self-Attestation

As stipulated by the CMMC Accreditation Body (CMMC-AB), the CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With the CMMC framework, there is no longer an option for self-attestation.

CMMC Levels

The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.

These levels will capture both security control and the processes that enhance a company's cybersecurity. DoD contracts will stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. A company will need to meet both the processes and practices to meet a given level.

A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.

It is expected that most small businesses will need to meet either Level 1 or Level 2 of CMMC.

There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.

LEVEL 1 - Safeguard Federal Contract Information (FCI)

Level 1 Practices

• Firewall with monitoring
• Segment and control public facing connections
• Anti-virus
• Device inventory
• Software inventory
• User and access management
• Log and escort visitors
• Badges and keys
• Data disposal
• Update systems

Level 1 Supporting Documentation

• Acceptable Use Policy
• Access Control Policy
• Physical Security Policy
• Asset Management Policy

LEVEL 2 - Serve as transition step in cybersecurity maturity progression to protect CUI

Level 2 Practices

• CMMC Level 1 completion
• System event logging/retention
• Awareness and role training
• Hardware/software inventory
• Secure baselines
• Multi-factor authentication (MFA) for remote access
• Conduct, test, and encrypt backups
• Vulnerability scanning and remediation
• Identify unauthorized use
• Incident response procedures
• more...

Level 2 Supporting Documentation

• Vulnerability Management Policy
• Data Transfer Policy
• Incident Response Policy
• Password Policy
• Secure Baseline Procedures
• Change Management Procedure
• Teleworker Policy
• Data Classification Policy
• Information Security Policy

LEVEL 3 - Protect CUI

Level 3 Practices

• CMMC Level 2 completion
• 800-171 controls
• No POA&M items
• Offsite backups
• Centralized logging
• Risk assessments
• Continuous monitoring
• DNS filtering
• more...

Level 3 Supporting Documentation

• Social Media Policy
• CUI Handling Procedure
• Information Security Plan

LEVEL 4 - Protect CUI and reduce risk of Advanced Persistent Threats (APT)

Level 4 Processes: Reviewed

Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.

Level 4 Practices: Proactive

Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.

LEVEL 5 - Protect CUI and reduce risk of APTs

Level 5 Processes: Optimizing

Requires an organization to take corrective action towards improving process implementation across the organization.

Level 5 Practices: Advanced/Proactive

Increases the depth and sophistication of cybersecurity capabilities.

How to Comply with CMMC

The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments and can be found on the website of the CMMC Accreditation Body (CMMC-AB). Only companies listed in the CMMC-AB Marketplace in the C3PAO category are qualified to perform CMMC assessments.

With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.

The process to achieve certification is as follows:

1. Determine the level of CMMC you want to meet (either based on future contracts on which you plan to bid or internal business goals).
2. Prepare internally to meet the selected standard. Identify gaps in your processes and systems. Corserva can help you prepare for CMMC.
3. Select a C3PAO from the CMMC Accreditation Body (CMMC-AB) Marketplace.
4. Engage a C3PAO to provide the assessment.
5. The C3PAO submits the assessment for review by the CMMC-AB.
6. The Certification is issued to your company, which is good for 3 years.

Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By 2026, all new DoD contracts will require CMMC.

Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.

No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. The certification to win a contract will be needed at the time of the award.

You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.

NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal — to protect information.

Learn more in the guide:
"What You Need to Know About CMMC Compliance"

CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.

If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”

CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.

Refer to “covered contractor information system” as that term is defined in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, paragraph (a) and DFARS 252.204‑7012(b)(2)(ii)(B).

NIST 800-171 and CMMC provide a set of guidelines that outline the processes and procedures that companies need to implement in order to achieve compliance in regard to controls around CUI. In working with several DoD contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”

As defined in the National Archives:

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Examples of CUI

Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI security requirements are not restricted to digital files; CUI can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”

Let’s say that during fulfillment of a federal contract, you receive an email with attached files from the agency with which you are doing business. That information (which is CUI) now resides on your company’s email system (potentially on that workstation’s hard drive) and must be protected. Likewise, if you develop proprietary information for the DoD or for a prime contractor, that information must be protected. If you receive printouts through the mail or by courier service, that information must be protected.

To comply with the NIST 800-171 mandate, companies must undertake a review, or assessment, of their critical infrastructure as it relates to CUI. To become certified to CMMC, companies must select an approved C3PAO to perform an assessment.

Typical systems to include are end user workstations and laptops, servers, storage devices, and network devices such as routers, firewalls, switches, wireless access points (WAP), and printers. Physical security may also need to be addressed.

It can become complex very quickly.

To show compliance with NIST 800-171 and prepare for CMMC, contractors develop and maintain formal documents for submission to DoD prime contractors or subcontractors upon contract initiation or renewal. These documents include a System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

Impact to CMMC

Although SSPs and POA&Ms will be of value to companies in strengthening their security posture, these documents are not sufficient for CMMC. In other words, having a written plan to meet compliance (but not yet executing that plan) is not sufficient for CMMC.

This more stringent requirement will be an advantage to those companies who do meet CMMC requirements. Companies that have developed a POA&M to meet all 110 controls in NIST 800-171 may not currently be meeting all of them. Before CMMC, those companies could compete with other companies who had taken the effort to meet all the controls. Therefore, meeting CMMC requirements will be a competitive advantage.

With CMMC, there is no option for self-attestation. The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment for certification. CMMC certification will be required at the time of contract award and must remain in effect for the duration of the contract. If a company's certification expires during the contract, the company will need to recertify to CMMC.

There is no POA&M with CMMC.

However, the development of SSPs and POA&Ms offers value to companies for internal planning purposes.

Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant.

Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.

Companies that solely produce Commerical-Off-The-Shelf (COTS) products are not subject to CMMC requirements.

Compliance is not confined to prime contractors. The set of standards for compliance that are outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, NASA, and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.

NIST 800-171 and CMMC not only apply to defense contractors directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?

Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.

You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance or CMMC. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).

The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.

Is It Only Manufacturers That Must Comply?

No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.

Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.

NIST 800-171

For contracts that require subcontractors to meet NIST 800-171 compliance, you may or may not receive direct notification about your need to comply.

Some manufacturers that Corserva has worked with were first notified as far back as May 2016. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 as of December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified via messages you see when logging into a portal that you use for procurement or order management.

Several of Corserva’s clients do not recall seeing any notification but have taken a proactive step to achieve compliance, knowing it is likely they will be asked about this eventually.

Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171. It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many companies who never received formal notification to comply.

CMMC

For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. Certification must be maintained throughout the duration of the contract.

If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").

NIST Special Publication 800-171 is broken out into 14 different security families of IT security requirements. (In CMMC, the requirements are called category domains and include 17.)

1. Access Control

Who is authorized to view this data? How do you control access to the CUI that resides in your organization (within your systems and within your operations)?

2. Awareness & Training

Are people properly instructed in how to treat this info? When it comes to CUI, are your employees aware of the security risks?

3. Audit & Accountability

Are records kept of authorized and unauthorized access? Can violators be identified?

4. Configuration Management

How are your networks and safety protocols built and documented?

5. Identification & Authentication

What users are approved to access CUI and how are they verified prior to granting them access?

6. Incident Response

What’s the process if a data breach or security threat occurs, including proper notification? If there is an incident that puts data at risk, the DFARS 252.204-7012 clause stipulates that your partner must be notified.

7. Maintenance

What timeline exists for routine maintenance, and who is responsible?

8. Media Protection

How are electronic and hard copy records and backups safely stored? Who has access?

9. Personnel Security

How are employees screened prior to granting them access to CUI?

10. Physical Protection

Who has access to systems, equipment, and storage environments? For example, if you have one office with a front door and back door, what kind of security do you have? This could include locks, access control systems, and video monitoring systems. What is the physical environment like within your facility where the data is housed?

11. Risk Assessment

Are defenses tested in simulations? Are operations or individuals verified regularly?

12. Security Assessment

Are processes and procedures still effective? Are improvements needed? Penetration testing and vulnerability assessments performed on an ongoing, regular basis are methods for measuring your security.

13. Systems & Communications Protection

Is information regularly monitored and controlled at key internal and external transmission points?

14. System & Information Integrity

How quickly are possible threats detected, identified, and corrected?

Summary of NIST Requirements

For NIST 800-171, within each of the 14 families are a set of basic security requirements and derived security requirements that must be assessed and verified. Across the 14 families, there are a total of 110 individual line items that must be verified. (For comparison, there can be up to 212 line items for NIST 800-53.)

The requirements for NIST 800-171 can be summarized into four main groups.

1. Controls – Data management controls and processes
2. Monitoring & management – Real time monitoring/management of defined IT systems
3. End user practices – Documented, well defined end user practices and procedures
4. Security measures – Implementation of defined security measures

If you have a firewall solution in place, you may already have a lot of these areas covered.

Controls Requirement

Chances are good that you already have some mechanisms in place for 'control,' but you may not know what they are, and you may not have implemented best practices in this area. If you have audit records such as system or network device logs specifically focused on access to CUI, you might already be halfway there to meeting the controls requirements. To meet the NIST 800-171 mandate, the controls requirement dictates that you:

• Assess and develop appropriate security controls
• Develop formal policies and procedures
• Create and maintain audit records regarding access to CUI
• Securely transmit data including encryption
• Encrypt data at rest

Monitoring & Management Requirement

To meet the NIST 800-171 mandate, the monitoring and management requirement dictates that you:

• Monitor and manage user access to information systems
• Authenticate users and utilize multi-factor authentication
• Establish an operational incident management process
• Patch critical systems and scan for vulnerabilities
• Deploy antivirus/malware solutions and monitor activity
• Monitor network traffic for malicious activity

A technical design that segregates systems used for CUI can be a cost effective method to achieve compliance. A defined IT system can limit the scope of work to be done.

End User Practices Requirement

To meet the NIST 800-171 mandate, the end user practices requirement dictates that you:

• Provide training and awareness to end users and system administrators on proper procedures for handling CUI
• Have management define and execute minimum password complexity compliance

There should be comprehensive documentation that describes how CUI is controlled by every department within the company. Computer usage policies and internet usage policies are also helpful.

Security Measures Requirement

To meet the NIST 800-171 mandate, the security measures requirement dictates that you:

• Assess and develop appropriate security controls
• Securely back up CUI
• Create and enforce policies to prevent unauthorized software
• Identify, track, and restrict access to network/application ports (firewall/systems)

A lot of cloud based backup solutions do not meet the NIST 800-171 requirements. There are native capabilities within many software systems that, when configured properly, can address these security requirements.

NIST 800-171 Overview

The key points to remember for how to meet the NIST 800-171 requirements are: controls, monitoring/management, end user practices, and security measures. Becoming NIST compliant is not a one-time activity, it’s an ongoing process where you continuously:

1. Assess – Evaluate the current situation
2. Design – Create the necessary changes in the system
3. Deploy – Implement those changes
4. Manage – Continue to manage the system to maintain compliance

Think of it as working towards a goal. Becoming NIST compliant involves documenting a plan, and then working to that plan.

The requirements for NIST 800-171 and CMMC have some similarities, especially at the first three levels of CMMC.

Each of the 17 domains across CMMC consists of a set of processes and capabilities across the 5 levels.

1. Access Control (AC)

• Establish system access requirements
• Control internal system access
• Control remote system access
• Limit data access to authorized users and processes

2. Asset Management (AM)

• Identify and document assets
• Manage asset inventory

3. Audit and Accountability (AU)

• Define audit requirements
• Perform auditing
• Identify and protect audit information
• Review and manage audit logs

4. Awareness and Training (AT)

• Conduct security awareness activities
• Conduct training

5. Configuration Management (CM)

• Establish configuration baselines
• Perform configuration and change management

6. Identification and Authentication (IA)

• Grant access to authenticated entities

7. Incident Response (IR)

• Plan incident response
• Detect and report events
• Develop and implement a response to a declared incident
• Perform post incident reviews
• Test incident response

8. Maintenance (MA)

• Manage maintenance

9. Media Protection (MP)

• Identify and mark media
• Protect and control media
• Sanitize media
• Protect media during transport

10. Personnel Security (PS)

• Screen personnel
• Protect CUI during personnel actions

11. Physical Protection (PE)

• Limit physical access

12. Recovery (RE)

• Manage backups
• Manage information security continuity

13. Risk Management (RM)

• Identify and evaluate risk
• Manage risk
• Manage supply chain risk

14. Security Assessment (CA)

• Develop and manage a system security plan
• Define and manage controls
• Perform code reviews

15. Situational Awareness (SA)

• Implement threat monitoring

16. Systems and Communications Protection (SC)

• Define security requirements for systems and communications
• Control communications at system boundaries

17. System and Information Integrity (SI)

• Identify and manage information system flaws
• Identify malicious content
• Perform network and system monitoring
• Implement advanced email protections

Costs to comply with NIST will vary based on the size of the organization, what technology you are already using, and how much CUI you have.

In general, assessments by an outside party for very small organizations can start in the $5,000 – $7,500 range. Costs will scale up based on number of employees, number of physical locations, and number of systems that must be assessed. When using an outside vendor, implementation of any changes needed to become compliant based on findings in the assessment will be priced separately.

The two main areas that will impact costs are processes and technology.

A computer security savvy organization may have already adopted processes that keep data secure. Those processes will need to be assessed. Based on any holes found, changes will be warranted. In this example, processes may only need to be adjusted slightly. Other organizations may need to adopt completely new processes.

Companies using modern workstations and the latest software will generally have less work to do than others with a low level of technology. Some organizations may need to make technology improvements such as upgrading to a next generation firewall, or configuring an existing firewall differently.

CMMC assessments can only be performed by a C3PAO organization listed on the CMMC-AB Marketplace. CMMC assessment costs will depend upon several factors including to which level the certification is needed.

It is expected that the costs businesses will incur for CMMC readiness efforts will be incorporated into overhead and recouped through the application of indirect rates for up to Level 3 certification.

You can find more information here.

The NIST assessment process should consist of three phases:

1. Business process review
2. Technical assessment of systems and networks
3. Data analysis

At the end of these phases you will have a compliance baseline. There are costs involved in becoming compliant, but you may not need to spend as much as you think.

Many companies already have some of the technology in place required for compliance, which can make the assessment less lengthy. In those cases, the assessment will focus on what process changes are needed to meet compliance.

Questions You Will Be Asked

During the assessment process, your information systems environment as relates to specific CUI use cases will be reviewed. You will be asked about different access scenarios. Your policies and procedures regarding IT systems (formal, informal, written) will also be reviewed.

For each requirement, the assessor will rate your company as fully compliant, partially compliant, or not compliant, and include supporting documentation as well as recommendations of what changes to make to become compliant.

Corserva performs NIST assessments for companies needing to meet NIST 800-171.

These are the steps you should take to meet the CMMC requirements.

1. Select which level of certification you need (1–5).
2. Within your organization, implement the CMMC practices and processes required for the CMMC level.
3. After implementation, evaluate if you are meeting the required CMMC practices and processes.
4. Select a C3PAO in the CMMC-AB Marketplace to perform a CMMC assessment.
5. The C3PAO assigns a Certified Assessor, and then performs the assessment of your organization.
   If there are any assessment findings, you will need to fix them first, before achieving certification.
6. After you pass the CMMC assessment, the C3PAO submits the assessment report to the DoD.
7. The C3PAO issues a CMMC certificate to you, which is valid for 3 years.

Corserva can remediate issues identified during an assessment.

We also offer CMMC readiness services to help you with steps #2 and #3 when preparing for a CMMC assessment.

NIST 800-171

For contracts that require compliance with the NIST 800-171 mandate, you can achieve compliance on your own - there is no requirement for any type of outside, third party assessment.

For assistance, there is a wealth of information available online, for free, including the NIST publications themselves.

• NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations

Additionally, you can reach out to your local Procurement Technical Assistance Center (PTAC). There's one in every state. Manufacturers can also contact their local Manufacturing Extension Partnership (MEP).

CMMC

For contracts that stipulate contractors must meet CMMC, you cannot achieve certification on your own. There is no option for self-attestation.

You will need to select an accredited C3PAO to perform a CMMC assessment.  

NIST 800-171

From the NIST assessment, you should produce a Plan of Action with Milestones (POA&M) and a System Security Plan (SSP) that describes how any unimplemented security requirements will be met and how any planned improvements will be implemented. These plans should include detailed milestones to measure your progress.

From NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:

Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format.

Not only must you create these plans, you must implement these plans. Ideally, your plans will include implementation steps with scheduled dates of completion.

CMMC

For contracts that stipulate contractors must meet CMMC, you need to engage a C3PAO to perform an assessment for certification.

After the assessment, the C3PAO will submit the assessment to the CMMC Accreditation Body for review.

NIST 800-171

NIST is a non-regulatory agency of the US Department of Commerce. It's not as if auditors will storm your premises to see if you are in compliance with NIST 800-171. But your contracts will be at risk.

There are ramifications for not being compliant. If an auditor becomes aware that you have not achieved compliance, you can risk losing your existing contracts. If you are a prime contractor, your federal officer could ask you about your plan for compliance with the NIST 800-171 mandate (if they haven't already). If you are a subcontractor, you could be asked by your prime or sub at any time.

If you don’t become compliant with the NIST 800-171 mandate or have a plan in place to do so, you will be ineligible for any potential future contracts.

If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.

CMMC

For contracts with CMMC requirements, you will be unable to participate in the contract unless you meet the CMMC requirements. In other words, you will be ineligible for award of that contract.

There are no fines associated with non-compliance; however, you will be unable to participate in DoD contracts.

Starting on the path to becoming compliant with NIST 800-171 or CMMC, there are several questions you should start thinking about.

About Your Business

Industry and people

• Is there an InfoSec policy in place?
• What physical security do you have?
• Have you done any type of cybersecurity assessments in the past?
• How many employees do you have?
• How many workstations (if not all employees have computers)?
• Is everyone in one location or do you have multiple locations?

About Your Assets

Workstations and networks

• What type of physical equipment do you have within your network?
• How many end user workstations?
• How many servers?
• What operating systems are you running?
• Is there any type of encryption in place?
• What are you using for email?
• Which applications are you using, both on-premise and cloud-based?
• Do you have any firewalls?
• How is your network connected to the internet?
• Do you have a DMZ (demilitarized zone)?
• How many printers do you have and how are they accessed?
• What are you doing for backup?

About Your Data

The format of data and how it is accessed

• How does CUI enter your organization and in what format?
• How many of your users have access to CUI?
• In which systems and applications is the CUI stored?
• How is CUI accessed by staff?
• How is CUI shared amongst staff?
• Is CUI accessed by remote staff?
• Is CUI transmitted to other entities, and if so, how?

Corserva can prepare you for a CMMC assessment by a C3PAO.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.

As an RPO, Corserva is authorized by the CMMC-AB to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC).

Corserva has created an easy process to enable you to get ready for a CMMC assessment and protect your government contracts.

To prepare you for your CMMC assessment, these are the steps we follow:

1. Identify the relevant requirements of CMMC you will need to meet.
2. Perform an "as is" gap analysis of your processes and security controls, identifying areas to be corrected.
3. Create a list of remediation steps to be taken prior to your certification assessment being performed by a C3PAO.

The end deliverable to you is a clear set of corrective actions to take before your CMMC assessment.

Get started today by requesting a quote for CMMC readiness.