What Every DIB Executive Needs to Know about NIST 800-171 and CMMC Compliance
The Cybersecurity Maturity Model Certification (CMMC) is a new standard created by the Department of Defense to improve the cybersecurity posture of the defense industrial base (DIB). As CMMC compliance becomes required to bid on increasing numbers of defense contracts over the next few years, DIB contractors need to be prepared to achieve and demonstrate CMMC compliance.
These are the 3 key things you need to know about NIST and CMMC compliance:
- Most DIB Contractors Require NIST and CMMC Compliance
- Competition for Auditors will Be Fierce
- Outsourced IT and Security Functions Impact CMMC Compliance
Most DIB Contractors Require NIST and CMMC Compliance
NIST 800-171 and CMMC are designed to ensure that companies are properly protecting controlled unclassified information (CUI) entrusted to them as part of defense contracts. According to a recent survey, 82% of DIB contractors handle or generate CUI.
Any DIB contractor with access to CUI likely requires at least Level 3 CMMC compliance. Eighty-two percent of the DIB with access to CUI should anticipate that they will be required to achieve at least Level 3 compliance.
Level 3 CMMC compliance equates to full compliance with NIST 800-171 as well as some additional security controls derived from other standards. As of 2020, DIB contractors had fully implemented 53% of the NIST 800-171 security controls and were partially compliant with an additional 29%. This means that many DIB contractors have a ways to go to achieve CMMC compliance.
Competition for Auditors will Be Fierce
One of the primary objectives of CMMC is to address lagging rates of NIST 800-171 compliance. NIST 800-171 allowed self-certification of compliance, meaning that many companies that claimed to be compliant actually were not.
CMMC mandates that organizations undergo a compliance audit by a certified third-party auditor. However, the process for certifying these auditors has been evolving and not as fast as desired, and official CMMC compliance audits cannot begin until auditors have been certified.
In FY 2021, 15 “pathfinder” contracts will require CMMC compliance with a goal of certifying 1,500 contractors under Levels 1-3 of the CMMC. The combination of a tight timeline, high demand, and a limited supply of certified auditors means that engaging a certified auditor may be difficult and expensive.
Outsourced IT and Security Functions Impact CMMC Compliance
Over half of companies outsource IT and/or security functions to a managed service provider. This outsourcing provides a number of benefits, including improved cost, better security, and access to limited cybersecurity talent.
CMMC is designed to secure the entire supply chain of the DIB. This means that an organization’s third-party contractors are also required to be certified as compliant with the regulation as well.
To bid on contracts requiring CMMC compliance—which start this year—an organization needs visibility into its entire supply chain. This includes the ability to determine the required level of CMMC compliance for each vendor and if that provider can and has passed a third-party compliance assessment.
Preparing for CMMC Compliance
The narrow gap between the accreditation of the first CMMC auditors and the launch of “pathfinder” CMMC contracts means that organizations must be “audit-ready” when assessors become available. However, few DIB contractors are fully compliant with CMMC requirements.