Background: NIST SP 800-171 and NIST SP 800-53
If you are currently conducting business with the US government, directly as a contractor or indirectly as a subcontractor, you’re probably familiar with the requirement to comply with the NIST SP 800-171 and NIST SP 800-53 information security guidelines. As detailed in our blog ‘Why Use NIST 800-53?’, NIST SP 800-53 stands for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems Organization. This critical standard provides a set of guidelines designed to make it easier for federal agencies, contractors and subcontractors to meet the requirements of the Federal Information Security Management Act, or FISMA.
NIST SP 800-53 seeks mainly to increase the security of information systems used by the federal government. To put it simply, NIST 800-53 establishes standards and guidelines designed to help U.S. government agencies understand how to architect and implement information security systems.
NIST SP 800-171, on the other hand, outlines the requirements that a non-government computer system (used by a contractor or subcontractor) must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.
As the threat landscape continues to evolve, systems used by the U.S. government, become increasingly popular and attractive targets for cyber attacks (due to the sensitive and critical nature of the information they store), organizations have been forced to take the steps needed to protect the integrity of their systems and the data within them. Unfortunately, many government contractors and subcontractors, particularly those serving the Department of Defense, are believed to be out of compliance. Some of these companies already been hit with penalties through the False Claims Act (FCA) for misrepresenting their cybersecurity preparedness. But, the pursuit of penalties under the FCA is a reactive approach to achieving compliance with NIST 800-53. With estimates of – 300,000 companies subject to the cybersecurity regulation, the imposition of after-the-fact, one-off FCA penalties is impractical for the US government.
Introduction of the Cybersecurity Maturity Model Certification (CMMC)
To address the issue of broad-based non-compliance, through CMMC, the US Government will leverage auditors to proactively ensure contractor and subcontractor compliance with NIST SP 800-171. CMMC outlines a 5-tier certification model for government contractors to ensure they establish the controls needed to protect sensitive data including Federal Contract Information and Controlled Unclassified Information (CUI).
CMMC has been crafted from the guidelines outlined in several cybersecurity frameworks, primarily from NIST 800-171, NIST SP 800-53 and others including ISO 27001 and ISO 27032. The 17 CMMC control families known as “Domains” focus on the following:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Security
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
Many of controls within these Domains can be crosswalked with other cybersecurity frameworks. Organizations that are already certifying to other frameworks may be able to streamline their CMMC certifications.
CMMC Also Introduces New Risks
The 5 certification tiers in CMMC range from basic controls, likely appropriate for smaller subcontractors, to highly sophisticated, state-of-the-art controls, likely appropriate only for the largest, strategic contractors. This introduces a new challenge, especially for the many contractors that fall in the middle. What is the appropriate level of certification? Those that aim too high may overshoot and end up with unnecessary overhead. Those that aim too low may come up short and put their government contracts or subcontracts at risk.
Regardless of the certification level, all government contractors and subs with access to sensitive data must be certified or risk losing their government business. With CMMC, there is no self-certification. Government contractors and subs that fall under the auspices of NIST SP 800-171 and CMMC must work with an accredited auditor to undergo and pass a scored assessment.
When CMMC is implemented, it will create a certification standard that government contractors and subcontractors must pass to bid on or participate in a government contract.
What is the CMMC timeline?
As of the posting of this blog, RFI's from the government are expected to include CMMC stipulations in June of 2020. RFPs are expected to include CMMC stipulations in September of 2020.
Listen to our webinar: NIST SP 800-171 & CMMC: Minimize Your Risk of Losing Business Opportunities
Download our CMMC compliance guide.
Visit the Office of the Under Secretary of Defense (OUSD) site for additional information.