How Does CMMC Compliance Align with NIST SP 800-171?

Every contractor that works with the United States Department of Defense is entrusted with managing sensitive information and is required to protect that information based on its classification. Companies can confirm their commitment to data protection by adhering to the foundational standards that define the cybersecurity requirements of the Defense Industrial Base (DIB). The Cybersecurity Maturity Model Certification (CMMC) outlines what DoD contractors must do in order to verify the effectiveness of their work processes. For contracts that only handle FCI, your safeguarding measures need to be aligned to FAR Clause 52.204-21 with CMMC Level 1. For those contractors that handle both FCI and controlled unclassified information (CUI), your organization most likely needs to comply with CMMC Level 2; that is where NIST SP 800-171 comes in. CMMC defines the framework and assessment structure, NIST SP 800-171 outlines the security requirements specifically for protecting CUI.

Compliance with NIST SP 800-171 and CMMC Certification demonstrates proof to the United States Government that the information you are entrusted with is handled properly and shielded from bad actors as much as possible. Read on to learn how CMMC and NIST SP 800-171 align to mitigate risk and what that alignment means for your compliance strategy.

What is NIST SP 800-171?

The National Institute for Standards and Technology (NIST) created the Special Publication (SP) 800-171 framework to detail the requirements and cybersecurity best practices of any non-federal organization that handles CUI or other sensitive federal information. The 800-171 was first published in 2015 to protect the federal supply chain and enhance national security. It has been revised several times since then to stay up-to-date with ever evolving cyberthreats. CMMC has been codified to NIST 800-171 Rev. 2.

The NIST SP 800-171 is comprised of 110 security controls broken down into the following 14 security families:

1. Access Controls – Implement access control measures to ensure that only authorized individuals and devices can access Controlled Unclassified Information (CUI), following the principle of least privilege and incorporating zero trust principles.

2. Awareness and Training – Staff members should be educated and trained on the latest cybersecurity risks and security measures, both in general awareness and role-specific training. This should also include how to identify threats.

3. Audit and Accountability – Implement logging to monitor and record system activity, enabling the detection, investigation, and analysis of unauthorized access or anomalies. All active systems need to have an audit trail to hold individuals responsible for data access, storage, and handling.

4. Configuration Management – Any piece of software or hardware that is utilized should have configurations that prioritize cybersecurity and alignment with related NIST requirements, even as new updates and firmware are released. This includes approving and documenting changes, applying the principle of least functionality, controlling configuration settings, and monitoring for unauthorized alterations using automation where feasible.

5. Identification and Authentication – Every instance of a user, device, or process that attempts to access your systems should be clearly identified before accessing your systems. Implement multifactor authentication for both privileged and non-privileged accounts and protect against credential reuse. Use secure credentials and monitor access behaviors to maintain integrity.

6. Incident Response – Prepare an incident response plan to keep your team prepared for a data breach or other incidents if they occur. The plan should include preparation, detection, analysis, containment, recovery, and user response.

7. Maintenance – Each organization should maintain ongoing security and change management to ensure systems are serviced securely and without exposing Controlled Unclassified Information (CUI) to unauthorized individuals or threats.

8. Media Protection – Ensure that any media devices, both digital and physical, containing CUI have NIST-compliant controls to protect valuable data. This includes limiting access to authorized personnel and enforcing restrictions.

9. Physical Protection – Only allow authorized personnel to visit on-site spaces where CUI is housed. Control entry using keycards or biometric access, log and monitor visitor activity, and manage physical access devices like keys and badges.

10. Personnel Security – Each party with access to CUI must go through a NIST-compliant screening process that trains them to identify and prevent insider threats. Companies must also have procedures in place to protect their private data if someone leaves the job for whatever reason, minimizing the risk of unauthorized access by former employees or contractors.

11. Risk Assessment – Create a risk assessment strategy to form a CUI risk profile for your organization. This strategy should be to conduct formal assessments to determine the potential impact and likelihood of security events affecting CUI. Use results to prioritize and implement appropriate controls, ensuring that risk responses align with the organization’s risk tolerance and mission requirements.

12. Security Assessment – Review your security procedures to confirm that they are working as intended. A current and accurate System Security Plan (SSP) detailing how security requirements are met and updated is key. Develop and track Plans of Action and Milestones (POA&Ms) for unimplemented controls and periodically review security policies and controls to ensure continued compliance.

13. System and Communications Protection – Verify the reliability of internal and external communications systems by enforcing boundary protections such as firewalls and proxies, encryption of data in transit and at rest, and the use of secure protocols for communication sessions. Enforce strict access controls at system boundaries and validate the authenticity of communications to prevent unauthorized access and manipulation.

14. System and Information Integrity – Any flaws or vulnerabilities in your information systems should be reported and repaired as soon as possible. Make sure systems operate correctly and unauthorized changes are detected by employing measures like real-time malware protection, security alerts, and system monitoring. Maintain system logs to identify anomalous activities and support incident detection and response, thereby ensuring the reliability and trustworthiness of information systems.

What is CMMC 2.0?

The first version of CMMC was published in 2020 to hold contractors and subcontractors accountable with firm cybersecurity requirements that define how they should operate. Version 1.0 was made of 5 maturity levels, with each one demonstrating a greater level of technical expertise and workplace maturity. In 2021, the DoD updated its guidelines to launch CMMC 2.0. The new model condensed those 5 tiers into 3 to streamline the adoption process and bring CMMC requirements more in line with modern threat assessments. Here is an overview of the three levels that comprise CMMC 2.0:

• Level 1 (Foundational) describes the use of basic cybersecurity measures to safeguard FCI.

• Level 2 (Advanced) focuses on the protection and management of CUI. Organizations at this level must document their processes to earn CMMC certification.

• Level 3 (Expert) stipulates that companies must build advanced systems and strategies to protect their data from advanced persistent threats (APTs) to the defense supply chain.

Each CMMC level demands different amounts of internal and external assessments. Yearly self-assessments are permitted for Level 1 and some Level 2 organizations, but other Level 2 contractors also require a review from an accredited CMMC Third Party Assessment Organization (C3PAO) on a triannual basis. To maintain CMMC Level 3 compliance, companies must undergo a government-led assessment every three years.

How CMMC and NIST SP 800-171 Align

CMMC 2.0 is based largely on NIST SP 800-171, so it makes sense that the two guidelines share many similarities. Here is how both cybersecurity standards work in concert to maintain high-level protections of sensitive data:

• Scope – The 110 security controls are included in the requirements for CMMC Level 2.

• Level of Enforcement – NIST SP 800-171 is mandated by DFARS Clause 252.204-7012 for any contractor handling CUI. CMMC will become mandatory based on contract requirements once fully implemented, as per 32 CFR Part 170 and 48 CFR Part 204, along with related DFARS clauses.

• Assessment – Self-assessments are allowed for NIST, CMMC Level 1. CMMC Level 2 allows for self-assessments for certain contracts, while others require third-party C3PAO assessments depending on whether CUI is involved and the criticality of the contract.

• Security Domains – NIST SP 800-171 has 14 security families, all of which map directly onto CMMC 2.0.

• Compliance Requirement – To comply with NIST SP 800-171, contractors must follow the requirements outlined in DFARS Clause 252.204-7012. This includes implementing the necessary security controls and being prepared for DoD assessments. For CMMC, organizations must meet both DFARS requirements and complete additional CMMC-specific assessments, which may involve self-assessments or third-party audits depending on the contract. While both CMMC and NIST SP 800-171 aim to protect CUI, they also diverge in certain ways that make each standard necessary. NIST SP 800-171 lays out the “what” — the cybersecurity requirements your organization needs to implement. However, it stops short of verifying whether those controls are actually in place. That’s where CMMC 2.0 comes in. It builds on NIST 800-171 by adding the “how”, a formal assessment and certification process to ensure compliance. Specifically, CMMC Level 2 aligns with all 110 controls across the 14 security families defined in NIST SP 800-171, but also adds either self-assessment or third-party certification based on the sensitivity and scope of the contract.

In short, NIST sets the standard. CMMC verifies you’re meeting it.

Key Security Controls That Overlap

As pillars of the cybersecurity platform, CMMC and NIST SP 800-171 have many security controls in common. Check out the handy table below.

How to Prepare for CMMC & NIST SP 800-171 Compliance

Even as CMMC and NIST SP 800-171 lay out what is expected of a compliant organization, perpetuating that compliance can be difficult for a number of reasons. Poor documentation, faulty infrastructure, and poor staff training can all increase the risks associated with your systems. To put your company in the best position to demonstrate total compliance, follow these steps:

• Determine what level of CMMC certification fits your organization’s goals by reviewing your contract requirements.

• Review your cybersecurity practices to confirm that they meet the NIST SP 800-171 requirements.

• Gather all the documentation needed to pass an audit such as your SSP, POAM, and any other risk assessments previously conducted.

• Engage with a CMMC third-party Registered Provider Organization (RPO). RPOs are trained and registered to deliver guidance to organizations seeking assessment (OSAs). RPOs help perform structured gap analyses against CMMC or NIST SP 800-171, highlighting what you’re doing right and where you fall short.
  At Agile IT, we build actionable remediation plans designed to position your organization for a smooth C3PAO engagement.

• Craft an overall security plan that emphasizes CMMC and NIST compliance. The SSP is the core document detailing how an organization implements the NIST SP 800-171 requirements and is a required part of a successful CMMC assessment.

• Produce audit trail evidence to track your progress towards compliance and show C3PAOs that you are accountable for your actions. This includes logs, policies, procedures, and tracking tools.

Conclusion

There is no way for any company to be fully compliant with data protection regulations without investing in CMMC 2.0 and NIST SP 800-171. The two cybersecurity frameworks are directly tied together and reinforce the importance of managing CUI. The compliance process can take some time and requires a lot of collaboration, organization, and documentation to avoid any issues. If your organization needs any support in achieving its compliance goals, Agile IT is here to help.

We offer numerous services, such as AgileDefend and AgileThrive, , that can all improve the level of security within your company from multiple angles. Our team is adept at helping contractors of all sizes develop, maintain, and sustain compliance strategies for the foreseeable future. If you are interested in working with us or would like to schedule a free consultation, please contact us today.