Soon, all contractors working with the U.S. Department of Defense (DoD) will be required to align their cybersecurity practices with the final version of the Cybersecurity Maturity Model Certification (CMMC). Understandably, many contractors don’t fully understand where the need for yet another cybersecurity compliance standards comes from, and they would like to know how CMMC differs from NIST SP 800-171, with which it shares many similarities.
NIST SP 800-171 Versus CMMC
To explain how CMMC is different from other cybersecurity compliance standards, it’s useful to take a short walk down the memory lane and review their developmental stories.
NIST SP 800-171, or National Institute of Standards and Technology Special Publication 800-171, was developed in response to the Federal Information Security Management Act (FISMA), a United States federal law passed in 2002 that recognized the importance of information security to the economic and national security interests of the country. Compliance with this standard is currently required by some DoD contracts via DFARS clause 252.204-7012.
To further strengthen the cybersecurity and resilience of DoD, DCI (Defense Critical Infrastructure), DIB (Defense Industrial Base), the President signed Executive Order 13800 in May of 2017, which resulted in an update to the DoD Cyber Strategy. This update raised the bar putting in place a verification mechanism intended to ensure those working with CUI have in place sufficient cybersecurity practices to prevent the information from leaving their networks.
Both NIST SP 800-171 and CMMC protect CUI, but each of these cybersecurity compliance standards approaches this goal differently.
Tiered Approach to Cybersecurity
NIST SP 800-171 is essentially a one-size-fits-all standard. The original version specified 110 security controls, many of which were unreasonably difficult for small DoD contractors to comply with. For example, Control 3.14.6 essentially requires contractors to implement a security information and event management (SIEM) solution because it requires organizations to “to “monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.”
On the other hand, CMMC introduces a tiered approach to cybersecurity compliance by mapping security controls to one of five maturity levels, spanning from “Basic Cybersecurity Hygiene” to “Advanced” depending on the security measures and processes:
- CMMC Level 1: 17 Controls (mapped to Federal Acquisition Regulation (FAR) 52.204-21)
- CMMC Level 2: 72 Controls (covering 65 percent of the NIST 800-171 CUI controls)
- CMMC Level 3: 131 Controls (covering 100 percent of the NIST 800-171 CUI controls)
- CMMC Level 4: 157 Controls
- CMMC Level 5: 173 Controls
This way, contractors that represent minimal risk can certify only to one of the two lower levels, whose requirements they most likely already meet.
Under NIST SP 800-171, contractors didn’t have to pass any official certification process to prove that they have the ability to protect CUI. While some behaved responsibly and took cybersecurity seriously, many simply submitted a plan for how compliance would eventually be achieved and that was it.
This is changing with CMMC, which requires contractors to be certified by official assessment organizations, called CMMC 3rd Party Assessment Organizations (C3PAOs). These organizations will be licensed by the CMMC Accreditation Body (CMMC-AB), which was established in January 2020 to train, test, and license up to 10,000 C3PAOs.
NIST SP 800-171 was presented by the DoD as a competitive advantage in the tender process, but today’s cybersecurity landscape demands a different approach, one that doesn’t depend on contractors voluntarily strengthening their defenses to protect sensitive information from malicious third-parties and unintended public disclosure.
To work with the DoD in the future, all contractors will eventually be required to obtain a CMMC certification from a C3PAO. The DoD has already begun including minimum certification requirements in requests for information in select requests for proposals, and all contractors will soon need to get certified by an accredited C3PAO in order to bid on new work.
NIST SP 800-171 Versus CMMC Level 4 & 5
For CMMC Level 4 and 5 there are 157 and 173 controls, respectively. These two numbers significantly exceed the 110 controls found in NIST 800-171 because they include controls from multiple other cybersecurity compliance standards, including CERT RMM v1.2, NIST 800-53, NIST 800-171B, ISO 27002, CIS CSC 7.1, NIST’s Cybersecurity Framework (CSF), and FEDRAMP.
These additional controls were included in CMMC Level 4 and 5 to ensure proactive protection against advanced persistent threats (APTs), which typically involve continuous and sophisticated hacking techniques used by nation-state or state-sponsored group with the objective of gaining access to a computer network and remaining undetected for an extended period.
In a way, CMMC is the first cybersecurity compliance standard with teeth. By requiring all DoD contractors who work with CUI to eventually obtain a CMMC certification, it finally unifies the implementation of cybersecurity across the defense industrial base, helping prevent unintended release of CUI located on contractors’ information systems. The good news is that many DoD contractors already meet all the requirements for their CMMC level because of the significant overlap with NIST SP 800-171.
To learn more about how your organization can become CMMC audit ready contact OSIbeyond today!