What is NIST compliance?
NIST Special Publication (SP) 800-171 was designed to enhance the cybersecurity posture of companies participating in government supply chains.
As of December 31, 2017, companies working in the federal supply chain were required to comply with NIST 800-171.The Cybersecurity Maturity Model Certification (CMMC) was also created to enhance cybersecurity.
What is NIST and NIST 800-171?
What does NIST stand for?
NIST, or The National Institute of Standards and Technology, develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a standard for best practices.
NIST is one of the nation’s oldest physical science laboratories and it is part of the US Department of Commerce. Congress established NIST in 1901 to remove a major challenge to US industrial competitiveness at the time—a second-rate measurement infrastructure that lagged the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at NIST promotes the United States economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.
In the last 30 years, NIST has been a major force behind IT security initiatives. If you do business directly with the government, your contract may include technology requirements for compliance with cybersecurity standards. If you do business indirectly with the government (in service to a prime contractor or another subcontractor), you may also be required to meet certain cybersecurity standards.
With cybersecurity a focal point for all major industries, safeguarding federal supply chains is more important than ever.
Companies that provide products and services to the federal government (either directly or indirectly through another supplier) may need to meet certain security mandates set by the National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain may need to comply.
The NIST 800-171 Mandate
For many companies, especially small ones not directly doing business with the government, NIST 800-171 may be their first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53.
The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).
For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.
NIST 800-171 Timeline
NIST 800-171 first became effective December 31, 2017. Revision 2 was published in February 2020.
Unlike previous security mandates which only impacted prime contractors, NIST 800-171 was the first one to impact subcontractors. Companies further down the federal supply chain have compliance requirements to which they need to adhere if they want to do work for primes. These NIST standards must be met by anyone who processes, stores, or transmits potentially sensitive information for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other government agencies or state agencies. This includes contractual agency relationships.
To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.
The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST SP 800-53, which covers security controls for US federal information systems except those related to national security. The NIST security requirements and security controls have been determined over time to provide the necessary data protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014).
When you comply with NIST 800-171, you also meet most of the criteria for NIST 800-53, since NIST 800-171 is a subset of NIST 800-53.
How to Comply with NIST 800-171
You can meet compliance with NIST 800-171 using any of the following methods:
Hire an outside vendor to perform a NIST 800-171 assessment.
Perform your own self-assessment and self-attestation.
Hybrid of the two methods.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.
Since 2020, the Department of Defense is in the process of migrating from NIST 800-171 to the CMMC framework.
CMMC is rolling out gradually and will eventually replace NIST 800-171 compliance. CMMC requirements are included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
No More Self-Attestation
As stipulated by the CMMC Accreditation Body (CMMC-AB), the CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With the CMMC framework, there is no longer an option for self-attestation.
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.
These levels will capture both security control and the processes that enhance a company's cybersecurity. DoD contracts will stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. A company will need to meet both the processes and practices to meet a given level.
A subcontractor working for a prime may not necessarily need to meet the same level as the prime. For example, to win a contract, a prime may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
It is expected that most small businesses will need to meet either Level 1 or Level 2 of CMMC.
There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
LEVEL 1 - Safeguard Federal Contract Information (FCI)
Level 1 Practices
Firewall with monitoring
Segment and control public facing connections
User and access management
Log and escort visitors
Badges and keys
Level 1 Supporting Documentation
Acceptable Use Policy
Access Control Policy
Physical Security Policy
Asset Management Policy
LEVEL 2 - Serve as transition step in cybersecurity maturity progression to protect CUI
Level 2 Practices
CMMC Level 1 completion
System event logging/retention
Awareness and role training
Multi-factor authentication (MFA) for remote access
Conduct, test, and encrypt backups
Vulnerability scanning and remediation
Identify unauthorized use
Incident response procedures
Level 2 Supporting Documentation
Vulnerability Management Policy
Data Transfer Policy
Incident Response Policy
Secure Baseline Procedures
Change Management Procedure
Data Classification Policy
Information Security Policy
LEVEL 3 - Protect CUI
Level 3 Practices
CMMC Level 2 completion
No POA&M items
Level 3 Supporting Documentation
Social Media Policy
CUI Handling Procedure
Information Security Plan
LEVEL 4 - Protect CUI and reduce risk of Advanced Persistent Threats (APT)
Level 4 Processes: Reviewed
Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
Level 4 Practices: Proactive
Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.
LEVEL 5 - Protect CUI and reduce risk of APTs
Level 5 Processes: Optimizing
Requires an organization to take corrective action towards improving process implementation across the organization.
Level 5 Practices: Advanced/Proactive
Increases the depth and sophistication of cybersecurity capabilities.
How to Comply with CMMC
The CMMC framework requires all companies seeking compliance to work with an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments.
What is CMMC Compliance?
Companies operating in federal supply chains need to be certified by a third-party organization (C3PAO) who will assess the company's level of compliance with Cybersecurity Maturity Model Certification (CMMC). DoD contracts specify to which level a company must comply (levels 1-5). By 2026, all DoD contracts will include CMMC instead of NIST 800-171.
With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.
The process to achieve certification is as follows:
Determine the level of CMMC you want to meet (either based on future contracts on which you plan to bid or internal business goals).
Prepare internally to meet the selected standard. Identify gaps in your processes and systems. Applied can help.
Select a C3PAO from the CMMC Accreditation Body (CMMC-AB) Marketplace.
Engage a C3PAO to provide the assessment.
The C3PAO submits the assessment for review by the CMMC-AB.
The Certification is issued to your company, which is good for 3 years.
The Overlap of NIST 800-171 and CMMC
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By 2026, all new DoD contracts will require CMMC.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. The certification to win a contract will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements. CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal — to protect information.
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government. This is information that resides on your company’s internal systems.
If you are a prime contractor (or a subcontractor), you may be logging into a portal and downloading information (such as a mechanical drawing) that is then stored on your internal systems. You may also see CUI referred to as “Covered Defense Information” — not to be confused with “Controlled Technical Information.”
CUI is Unclassified Information that is stored on “Covered Contractor Information Systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.
Who Needs to Comply with NIST & CMMC?
Entities that deal with government controlled unclassified information must comply with NIST 800-171 or CMMC, depending on the contract. If you are in the federal supply chain, there is a high probability that you need to be compliant.
Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors (or that sub for prime contractors) for various government contracts. These entities will almost always have CUI on premise or in cloud based or provider based systems and applications.
Companies that solely produce Commerical-Off-The-Shelf (COTS) products are not subject to CMMC requirements.
Compliance is not confined to prime contractors. The set of standards for compliance that are outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, NASA, and other federal or state agencies. This includes contractual agency relationships and flows down to subcontractors. There are negative ramifications for not being compliant that can include the loss of customers.
NIST 800-171 and CMMC not only apply to defense contractors directly selling to the government, but to any subcontractor selling to a government supplier. And even if today you do not currently provide parts for any supplier serving the government, do you really want to count yourself out of any future opportunities to sell to a supplier who does serve the government?
Typically, prime contractors are notified by the DoD directly that they need to be in compliance with NIST 800-171 or CMMC. Flow down clauses within the contract will stipulate that any subcontractors of the prime also need to comply. For many subcontractors, this is their first experience with NIST 800-171/CMMC and they are unsure how to proceed.
You should ask any of your own service providers or subcontractors if they have security controls put in place and how close they are to achieving NIST compliance or CMMC. Through the flow down clause within a contract, you have a responsibility to determine what security deficiencies are in the supply chain through any partners you deal with (such as manufacturers and IT providers).
The good news for companies that embark on the effort to meet NIST 800-171 or CMMC is that it provides a competitive advantage over companies that have not. Also, a side benefit of becoming compliant with NIST 800-171/CMMC is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet NIST 800-171/CMMC, you can contact your customers to let them know, and ask them if they know if all their suppliers are compliant.
Even for companies not in federal supply chains, there can be advantages to companies who comply with a cybersecurity framework.)
Is It Only Manufacturers That Must Comply?
No, although a majority of companies that must comply with NIST 800-171 or CMMC are manufacturers.
Meeting government regulations is a challenge in every industry, and manufacturing is no exception. But remember, anyone who deals with CUI must comply. This can include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. Any company doing business with a prime contractor, subcontractor, or another company further down the stream in the federal supply chain is impacted by NIST 800-171 and CMMC.