The Law: What Obligations Your Company Is Responsible for Regarding NIST and CMMC Compliance
NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) are both cybersecurity regulations geared towards the defense industrial base (DIB). NIST 800-171 compliance is already in place, and CMMC compliance will be rolling out to all contracts over the next several years. To be eligible to bid and work on these contracts, companies need to achieve and demonstrate compliance with these regulations.
NIST and CMMC Compliance Accreditation
Under DFARS Clause 252.204-7012, any DIB contractor handling sensitive unclassified information is required to implement the security controls outlined in NIST 800-171. Compliance with NIST 800-171 is based on self-accreditation, meaning that organizations are trusted to certify that they have implemented the required controls.
Lagging compliance with NIST 800-171 inspired the DOD to create the CMMC. The requirements of the CMMC are inspired by NIST 800-171 and other cybersecurity standards. Unlike NIST 800-171, the CMMC mandates that a contractor pass a third-party compliance assessment by an auditor approved by the CMMC Accreditation Body (CMMC-AB).
Requirements for NIST and CMMC Compliance
NIST 800-171 and other cybersecurity standards were the inspiration for the CMMC. While compliance with many standards is “all or nothing”, CMMC is designed to have multiple levels promoting growth toward improved cybersecurity.
CMMC has 5 Levels of compliance, and all contractors and subcontractors on a defense contract requiring CMMC compliance must achieve a certain level of compliance. The level of compliance required is determined by the contract and the contractor’s role within it.
For example, all subcontractors will be expected to achieve a minimum of Level 1 CMMC compliance; however, any access to controlled unclassified information (CUI) requires Level 2 compliance.
Eventually, the DOD wants most contractors to achieve Level 3 compliance, which is roughly equivalent to full compliance with NIST 800-171. However, some prime contractors may need higher levels of compliance—such as Levels 4 and 5— based on the particular contracts they are working on.
Achieving CMMC and NIST Compliance
Compliance with NIST 800-171 requires attestation by the company, while compliance with CMMC requires attestation by a third-party auditor. This attestation states that the contractor has achieved full compliance with all the required controls mandated for the desired level of compliance.
The required controls for the NIST 800-171 and CMMC standards are publicly accessible. However, many organizations struggle with achieving compliance. In fact, a 2020 study by Sera Brynn found that contractors implemented an average of 53% of the controls required by NIST 800-171. While this may go overlooked for self-certified NIST 800-171 compliance, CMMC compliance requires a third-party audit.
The tight CMMC timeline means that many organizations wishing to bid on “pathfinder” contracts that require CMMC compliance in FY 2021 will need to do much of the work themselves. Certification of CMMC assessors will not begin until sometime in Summer 2021, leaving little time to assess the compliance of the 1,500 contractors that the DOD wants to be certified in 2021.
For organizations wishing to start their journey toward full NIST and CMMC compliance, Hyper Vigilance offers a readiness inspection. This helps organizations to identify and correct any security gaps and lacking controls that could impede CMMC certification. To learn more about achieving CMMC and NIST compliance and how Hyper Vigilance can help, contact us.