CMMC 1.0 vs. NIST 800-171: Important Differences
The US Department of Defense (DoD) supply chain is a prime target for cybercriminals and hostile nations looking to steal and expose sensitive government information. These threats led to the creation of the Defense Acquisition Federal Regulation Supplement (DFARS) in December 2015. DFARS is a set of cybersecurity standards designed to protect controlled unclassified information (CUI) from cyberthreats.
DFARS requires DoD contractors and subcontractors to comply with a set of security regulations or risk facing penalties and losing their contracts.
What is NIST 800-171?
NIST 800-171 is a set of guidelines and cybersecurity best practices designed to help DoD contractors improve their cybersecurity measures. It's divided into four core areas:
The NIST framework features five functions vital to managing cybersecurity risks. They are:
- Identify – Identify cybersecurity risks to data, assets, and systems.
- Protect – Create and implement safeguards to ensure critical infrastructure services are not disrupted.
- Detect – Create and implement policies to detect cybersecurity anomalies and events.
- Respond – Create and implement policies for containing potential cyberthreats.
- Recover – Create and implement policies to restore services affected by a cybersecurity event.
Categories are specific tasks you must carry out for each of the five functions. For example, to protect your infrastructure from data breaches, you need to implement access control policies and install antivirus software.
Subcategories are tasks related to each category. For instance, if your category is updating all your software, your subcategory will be making sure that all your computers have the auto-update feature switched on.
- Informative Sources
These are documents and policies that outline how specific tasks should be done. Take the example above. You should have available documents on how to enable auto-updates on your computers.
The CMMC Framework: The Move to Third-Party Certification
The Cybersecurity Maturity Model Certification (CMMC) framework is a security standard that uses a five-level tiered system that determines the maturity of a DoD contractor based on its ability to protect sensitive government information from cyberattacks. Each level builds on each other's requirements. The five levels of the CMMC framework are:
Level 1: Basic Cyber Hygiene
This level involves performing basic cybersecurity practices such as changing passwords and using antivirus software to protect federal contract information (FCI).
Level 2: Intermediate Cyber Hygiene
Contractors should document their cybersecurity policies and best practices to protect CUI. This level implements some security requirements found in NIST 800-171 Rev. 2.
Level 3: Good Cyber Hygiene
Contractors must implement all NIST 800-171 Rev. 2 security requirements and best practices to ensure the safety of CUI at all times.
Level 4: Proactive Cyber Hygiene
This level requires contractors to have sufficient cybersecurity measures in place to reduce the risk of advanced persistent threats (APTs).
Level 5: Advanced/Progressive Cyber Hygiene
At this level, contractors must have a highly effective and adaptive cybersecurity program capable of dealing with the most sophisticated threats.
All DoD contractors and subcontractors must get a CMMC certification before bidding for government contracts. And unlike DFARS, where self-certification is permitted, the CMMC framework requires contractors to be audited by certified third-party assessor organizations (C3PAOs) accredited by the CMMC accreditation body. Having a third-party organization conduct the audit will ensure contractors applying for CMMC certification meet all specified requirements.
NIST 800-171 vs. CMMC 1.0: Key Differences
CMMC 1.0 offers updated guidelines to help contractors and subcontractors meet the requirements found in NIST 800-171. However, some contractors are asking what's the difference between NIST 800-171 and CMMC. While both are designed to enhance the cybersecurity posture of contractors, there are key differences between NIST 800-171 and CMMC 1.0.
- CMMC 1.0 Certification Requires Third-Party Assessment
Under NIST 800-171, contractors could self-certify and claim that their companies comply with all the NIST standards. Contractors applying for CMMC certification must first be audited by a C3PAO. This is to prevent false claims of compliance and ensure contractors applying for certification meet all CMMC requirements.
- CMMC 1.0 Compliance Is Required to Win DoD Contracts
DoD contracts with CMMC requirements cannot be awarded to contractors and subcontractors who are not CMMC certified.
- CMMC 1.0 Come with Three Additional Domains
- CMMC 1.0 Is Scalable
NIST 800-171 offers controls at only one level, with additional enhancements for extra protection. CMMC 1.0, on the other hand, uses specific levels of compliance, which contractors need to meet to be certified at a particular level. The five maturity levels used by the CMMC 1.0 framework allow contractors to scale their certification up or down depending on the security protocols they need.
For example, all DoD contractors should be at least Level 1 certified. This means that Level 1 contractors must implement 17 NIST 800-171 controls required for that level. If a contractor works with more sensitive information, the DoD assigns a new CMMC level to that contractor. That contractor must implement additional NIST controls over the ones it already has to meet the requirements of that specific CMMC level.
- CMMC 1.0 Focuses More on Cyberthreats
Both NIST 800-171 and CMMC 1.0 emphasize the need for audits, access control, configuration management, and personnel security. However, CMMC 1.0 also focuses on cyberthreat intelligence, cyberthreat alerts, and situational awareness. This helps contractors develop more efficient security protocols for identifying and managing various cyberthreats.
Do You Need to Be Both NIST 800-171 and CMMC 1.0 Certified?
Since the release of the CMMC framework in January 2020, contractors have been asking if they need to comply with both NIST 800-171 and CMMC 1.0. The answer is yes. NIST 800-171 is not enough to address the growing number of cyberthreats against DoD contractors, which is why the CMMC framework was created. However, contractors need to implement various NIST controls before they can be CMMC certified. As previously mentioned, CMMC compliance is now required for contractors to bid and win DoD contracts.
If your company is not yet CMMC certified, a managed IT services provider like Charles IT will help you achieve certification. We'll perform a gap assessment to identify potential danger spots and areas of weakness in your company's cybersecurity processes. Our IT experts will then provide you with a remediation plan to ensure you pass your CMMC audit. Fill in the gaps in your business’s cybersecurity, starting with a gap assessment.