What is the Relationship Between CMMC and NIST 800-171?

CMMC vs NIST 800-171 featured

CMMC, RMF, FedRAMP, NIST 800-171, NIST 800-53, DFARS… there are a lot of terms, documents and requirements are thrown around when it comes to federal and defense contracting. Many of these items overlap to help contractors guarantee compliance and security, but without a clear understanding of their relationships, it’s easy to lose sight of the forest due to the trees. 

Here, we’ll cover some of the complications related to the upcoming CMMC migration for DoD contractors. This includes a comparison of CMMC against NIST 800-171 and DFARS, and what that means for contractors now and in the future. 

What is NIST 800-171?

Special Publication 800-171 from the National Institute of Standards and Technology is an official document of recommendations specifying the controls and processes best suited for protecting Controlled Unclassified Information (CUI).

Quickly, CUI is a special classification of data in government agencies, specifically related to the Department of Defense (DoD), the Executive Branch and the Defense Industrial Base (DIB) more broadly. Defined as “government-created or owned information that requires safeguarding… consistent with applicable laws, regulations and government-wide policies.” That is, CUI isn’t classified and as such doesn’t have the same controls implemented to halt disclosure. It has been designated as important, however, and as such demands its own set of cybersecurity protocols. 

What’s important about NIST 800-171 is that it is required by agencies, contractors and subcontractors working with the DoD or in the DIB. Accordingly, the Defense Federal Acquisition Regulation Supplement (DFARS) sets guidelines for compliance for external contractors as to how they must meet NIST 800-171 recommendations to work with defense agencies. 

Under NIST 800-171 and DFARS, contractors must implement various cybersecurity controls across 14 key areas, which are:

  • Access Control: Identity and Access Management and authorized use
  • Awareness and Training: Administrative controls for training on the handling of CUI
  • Audit and Accountability: Audit trails for data access and monitoring
  • Configuration Management: Documentation and building of secure networks and systems
  • Identification and Authentication: Authorizing users and providing verification services for data access
  • Incident Response: Plans and capabilities for breach response and remediation
  • Maintenance: Routine maintenance plans and processes
  • Media Protection: Safe storage and backup of electronic data
  • Physical Protection: Physical protection against data access at locations like workstations and data centers
  • Personnel Security: Screening and auditing employees before accessing CUI
  • Risk Assessment: How is risk managed and planned through processes like simulations and system verifications
  • Security Assessment: Continual auditing and remediation of security systems
  • System and Communication Protection: Regular monitoring of data transmissions across a system and to third parties
  • System and Information Integrity: Threat detection and remediation continually

Based on these categories and their handling of CUI, contractors must adhere to the cybersecurity best practices (sometimes called “cyber hygiene”) to protect this data as part of a working relationship with defense agencies. 

CMMC vs NIST 800-171

 What is CMMC and How Does it Define Cyber Hygiene?

The Cybersecurity Maturity Model Certification (CMMC) is a new compliance framework released in conjunction with the DoD and other agencies like the General Services Administration (GSA) and NASA. 

This framework was implemented to provide a compliance vehicle for assessing alignment with NIST 800-171 controls. What that means is that the NIST sets the standards for security, but CMMC defines the types of audits and assessments you need to demonstrate to the government that your organization is suitable for handling CUI. 

Briefly, CMMC breaks compliance into three levels which measure the level of cyber hygiene (here measured in the number of controls needed to protect increasingly sensitive CUI) and capabilities (organizational abilities to perform critical security measures). These break down as follows:

  1. CMMC Level 1: Basic cyber hygiene (15 security controls) plus the ability to implement them. 
  2. CMMC Level 2: Full implementation of NIST 800-171 (110 controls). The minimum level to handle CUI.
  3. CMMC Level 3: Advanced implementation from both NIST SP 800-171 and SP 800-172 (134 controls) to mitigate complex challenges like Advanced Persistent Threats (APTs).

As you might notice, this is a ‘maturity model” in which your organization’s capabilities are measured based on how they’ve advanced within the compliance framework. At the higher levels, your organization is viewed as more mature concerning cybersecurity and thus capable of managing CUI. 


What are the Differences Between CMMC, DFARS, and NIST 800-171?

With all this being said, there are specific differences between CMMC, DFARS, and NIST 800-171 that are good to know when discussing DoD cybersecurity:

  • NIST 800-171 is the document containing technical compliance recommendations. This foundational document outlines the controls and practices agencies will look for under compliance audits. This document defines CUI for security, and it is what your organization will be compared against for certification purposes.
  • DFARS, as a compliance framework, calls for contractors to perform self-assessments against all 14 points of the NIST 800-171 specification. As part of this standard, the contractor must devise their own System Security Plan (SSP), a Plan of Action and Milestones (POAM) and a CUI Environment management Team (CEMT). While contractors perform self-assessments, the DoD can, and often does, audit several hundred organizations annually.
  • CMMC is built to help protect CUI, specifically within the Defense Industrial Base (DIB) supply chain. It creates several levels precisely to determine an organization’s fitness for different types of data. Additionally, CMMC requires an assessment from certified third-party assessment organizations (C3PAOs). This creates a more objective form of security and compliance assessment that didn’t exist before outside of the DFARS Interim Rule. 

DFARS can help your organization become CMMC compliant, but the intended goal of CMMC is to take over from DFARS with a more complete, logical and sustainable compliance standard. 


Continuum GRC and Automated CMMC Audits

Continuum GRC has helped organizations in commercial, industrial and government markets meet their compliance requirements with fast and accurate automation tools. With years of experience in compliance and security through frameworks like HIPAA, FedRAMP and SOC 2, we have built a comprehensive cloud platform to transform your compliance efforts, turning what would normally take weeks or months into something that can happen in days. 

If you are an enterprise business or an SMB preparing to enter the DIB space, or if you are a company that needs support for continuous monitoring and security management partner with an organization that can automate compliance and security to protect your valuable infrastructure, meet your regulatory obligations and ensure high-level security. Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about our ITAMs auditing and compliance tools.


Continuum GRC