Everything Government Contractors Need to Know About CMMC and NIST 800-171

After its release in January 2020 and after many delays, the new Cybersecurity Maturity Model Certification (CMMC) has not yet been enforced in contracts from the Department of Defense or any other agency. This is expected to change this month, following updates to the Defense Federal Acquisition Regulation Supplement (DFARs). While contractors have until then to prepare for compliance reforms, many are still unaware of CMMC, DFARs, or how they both relate to a single document: the National Institute for Standards and Technology (NIST), special publication (SP) 800-171.

In this article, we’ll review the basics of SP 800-171, how it relates to CMMC, and explain why every federal contractor handling Controlled Unclassified Information (CUI) needs to be compliant.

NIST 800-171: What is It?

Since 2017, any federal contractor working with the Department of Defense (DoD) has been required to comply with the standards outlined in SP 800-171, formally titled: Protecting Unclassified Information in Nonfederal Information Systems and Organizations. Based on the more comprehensive SP 800-53, the document outlines strict rules for systems that handle sensitive information and data not meriting a “classified” designation.

NIST 800 and CMMC

This CUI is broad in scope, encompassing almost any data – scientific, financial, or operational – exchanged in the course of a government contract. Since compliance with NIST 800-171 was rolled into DFARs – a supplement to the FAR rules – it has been adopted by state and federal agencies outside the Defense department including GSA, NASA and others.

Full compliance with SP 800-171 entails the implementation of a System Security Plan (SSP) for all systems handling CUI during a contract, including email, FTP, content management platforms (CMPs), cloud platforms, project collaboration tools and more. Earlier this year, a minor revision (Rev. 2) to the regulation was released, but the basic security requirements in chapter 3 have not been affected.

NIST 800-171: Why Does it Matter?

The vulnerability of protected information has been a growing national security concern. Federal agencies are under constant attack from Advanced Persistent Threat (APT) groups and other malicious actors who may represent foreign adversaries attempting to gain an advantage over the United States. In recent times, these threat actors have shifted their attention to the massive Defense Industrial Base, seeking opportunities to steal and otherwise exploit sensitive information intercepted by government contractors.

Just this March, a Colorado-based Aerospace firm fell victim to a ransomware attack which exposed data from customers including Lockheed Martin, General Dynamics, Boeing and SpaceX. Such incidents go to show that – without adequate security controls – the supply chain of federal services can easily be compromised, representing a threat to the businesses who are targeted, their clients, and ultimately the government.

There is a good reason CUI is a protected asset under ITAR, right along military technology, arms and services: information is power, and that power becomes deadly in the hands of an enemy. Contractors entrusted with CUI or any other form of sensitive information must wield it responsibly as a protection to themselves and their customers, and that is the ultimate purpose of regulations like NIST 800-171.

How CMMC Changes NIST 800-171 Compliance

In light of evidence that a woefully small percentage of defense contractors were actually complying with NIST 800-171, the DoD began rolling its security requirements into the CMMC in 2019. The first major change is that self-assessment will no longer be enough: after October, contractors will be required to undergo third-party review to demonstrate their compliance with DFARs.

While that means that organizations will have to tighten up their compliance strategy, a second development will make the burden easier to bear: a single standard for compliance will no longer be applied to all defense partners. Under CMMC, there are five security levels and – while all require NIST 800-171 to be followed in some degree – that degree changes between levels:

  • Level 1 Basic Cyber Hygiene – requires basic safeguarding of information systems which encompass 17 security requirements listed in NIST 800-171.
  • Level 2 Intermediate Cyber Hygiene – requires an additional 55 controls for protection of CUI, coming to a total of 72 security practices.
  • Level 3 Good Cyber Hygiene –adding 58 security practices bringing the total to 130 practices. Contractors at this level must document each practice and establish a plan for maintaining compliance.
  • Level 4 Proactive – at this level, all contractors must review and measure their practices while sharing findings with upper management and establishing response procedures to changing techniques. A total of 156 security practices, including new ones from Rev. 2.
  • Level 5 Advanced – at this level, all previous requirements must be met, and contractors must have a standard process to defend against Advanced Persistent Threats (APTs).

After pending updates to the DFARs rule, compliance with NIST 800-171 will expand to second and third-party businesses and vendors working with a Defense contractor, and – at level 3 and beyond – the contractor will be required to ensure that their partners are compliant. Consequently, DFARs requirements will soon be extending to a much larger group of businesses than those working directly with the DoD.

How to Prepare

Since many businesses will have to comply with NIST 800-171 even if they are not working directly with the Defense Department and other agencies, we recommend that they prepare to comply with as much of the regulation as possible. To that end – in conjunction with a copy of CMMC V.1 – they may consult the NIST Handbook 162 to conduct a self-assessment ahead of taking on contracts under CMMC.

However, while self-assessment is a useful tool for preparation, it won’t be enough in the long run: before you are vetted by a third-party, consider partnering with veteran cybersecurity experts to make sure that your organization is meeting the requirements set down by NIST and the DoD.

To become NIST SP 800-171 compliant and avoid costly violations, organizations must take security seriously, take stock of their IT assets and fix vulnerabilities before they can be exploited. With a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!