9 June, 2021
A special publication from the National Institute of Standards and Technology (NIST) that outlines “recommended security requirements for protecting the confidentiality of CUI.”
It consists of 14 different “families” of security requirements that are divided into “basic” and “derived” levels of control. The general goal of NIST 800-171 is to ensure confidentiality of information rather than data integrity and availability.
The 14 families of NIST 800-171 are:
It’s an acronym for Cybersecurity Maturity Model Certification. This certification was created by the U.S. Department of Defense (DoD) in response to cybersecurity threats targeting the American Defense Industrial Base (DIB). The certification aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) from being stolen or accessed by unauthorized persons.
That’s a lot of acronyms for a first paragraph, isn’t it?
Basically, it’s a new certification standard that businesses need to meet if they want to be able to take on contract work for a government entity (or work with other companies that act as government contractors).
You might be wondering: “Why is CMMC critical for my business? How does being NIST compliant help?” There are several reasons for a business to try to get a CMMC certification or fulfill NIST standards:
If your company works with the DoD, DoD contractors, or any other government agency or contractor, it will likely be a target for malicious actors looking to steal sensitive information or disrupt your operations. Some of the different types of threat actors you may encounter include:
Following security compliance standards like NIST 800-171 and CMMC can help businesses to defend against these malicious actors.
Download our cybersecurity checklist for a list of what to look for in a cybersecurity service provider and a questionnaire you can use to determine the cybersecurity services your business needs.
Download Now!Implementing new cybersecurity measures always has some cost attached to it. Even “free” security tools and training resources cost you time and effort to set them up. Effective security solutions may have a high price tag for licensing, installation, maintenance, etc.
With this in mind, what are the benefits of complying with security standards like NIST 800-171 and CMMC? A few basic business benefits include:
A data breach is an event where an unauthorized person gets access to sensitive data on a company’s systems or network. When these breaches are large enough, they can become industry headlines that expose the breached company to extensive public ridicule and possible sanctions from government agencies.
According to data from a study by IBM and the Ponemon Institute, the average cost of a data breach is around $3.86 million worldwide. In the USA, that average jumps to about $8.64 million per incident. So, if a company spends $1 million on cybersecurity and stops just one data breach, then they’re ahead by $2.86 to $7.64 million already.
Of course, this is just accounting for the direct costs of remediating a data breach. The indirect costs of a security breach, such as a loss of market share as customers look for alternative services that haven’t been breached by hackers, can massively inflate the impact of a breach.
Being able to prevent data security breaches is a major benefit of following cybersecurity guidelines. However, IT security may call for more than just basic IT compliance.
Not every business that works with the government can do everything they need to internally. Some contractors may need to work with other vendors to secure crucial supplies or to provide extra services outside their normal expertise.
This creates opportunities for businesses to become subcontractors, creating valuable revenue streams and helping build connections with new clients. So, being compliant with NIST 800-171 or CMMC requirements can be useful.
Companies that work with government agencies and need to subcontract work or find vendors for critical supplies and services often prefer to work with companies that already meet compliance standards. This makes meeting compliance standards a key competitive advantage for earning business from government contractors and vendors.
Even when not working for government agencies, some companies simply prefer to partner with vendors that have high security standards.
Third-party vendors can be a crucial security gap. “Supply chain attacks” that target vendors to get at the businesses they serve are a well-known fact among cybersecurity-savvy organizations. So, they may have fairly stringent security requirements for their vendors to avoid such vulnerabilities.
Being able to demonstrate compliance with government-grade security requirements can be a key differentiator when dealing with security-conscious companies.
However, this benefit can extend to B2C companies as well as B2B ones. As information about cybersecurity breaches and cyber threats become more common, consumers may become more concerned with security. Such consumers may research a company’s cybersecurity practices and check for records of past breaches before making purchase decisions.
In this case, having a long track record of cyber safety could help earn the business of concerned consumers.
For example, one study by Berkeley of consumers before and after being made aware of security flaws in popular products and apps showed that “consumers aware of the privacy flaws trust a company less.” In the study, consumers made aware of data privacy issues at Apple perceived the company as “significantly less trustworthy” immediately after the breach—though this perception faded somewhat when people were surveyed a year later.
Trust is one of the hardest resources to acquire, taking a long period of time to build through consistent action and success. However, it’s one of the easiest to lose with a single mistake.
There are a lot of terms related to NIST 800-171 and CMMC that are important to know. Here are some of the most important terms and brief descriptions for each:
CUI is defined by the Office of the Undersecretary of Defense Acquisition and Sustainment as:
“Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order.”
In other words, it’s information that isn’t considered classified under any specific government mandate, but still needs to be protected from illicit access. This is often because CUI includes sensitive information that may be useful to foreign intelligence agencies.
FCI is a catch-all term for any information that the U.S. government provides or generates under contract that isn’t intended to be released to the public.
A general term for any information that an organization stores or processes that can be used to identify an individual. Many data privacy standards reference PII and the need to protect it from illicit access.
If stolen, PII can be used to commit fraud that can be financially devastating—both for the organization whose data is stolen and the individuals identified through their PII.
In cybersecurity and compliance circles, the word “media” carries a different meaning from the usual. When mentioned in CMMC and NIST documentation, “media” typically is a reference to storage media, meaning assets like USB drives, hard disk drives (HDDs), solid state drives (SSDs), CDs, DVDs, floppy disks—basically anything that can hold data on it for future retrieval.
A supplement to the Federal Acquisition Regulation (FAR) that is administered by the Department of Defense. According to the Federal Register, DFARS “contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.”
As one of the security standards that the DoD administers, it is important for companies working with the DoD to meet DFARS requirements.
The defense industrial base is the collection of all the businesses that participate in the national (or global) defense industry. Consisting of hundreds of thousands of companies, the DIB enables research and development for military weapons and IT systems, components, and parts as well as managing the supply chain for various military-related applications.
This is sometimes referred to as the national technology and industrial base (NTIB) when talking about both domestic and global portions of the DIB.
Companies within the DIB are often a target for espionage by foreign agencies looking to learn more about America’s defense industry and capabilities.
A specific category of cybersecurity threat that attempts to hide its presence in infected systems as it collects sensitive data to send off to an attacker. APTs are often defined by their difficulty to detect and their ability to steal a lot of information over a long period of time.
In some cases, APTs may go undetected for weeks or even months as they infiltrate systems. This makes them extremely dangerous tools.
A document issued by government agencies to try to get potential vendors to issue bids. This document generally includes various criteria for the project to be completed or work to be done so companies can generate a realistic bid.
A document that requests information about a given industry that the government uses to inform its purchase decisions. This document is often used to gather info that is later used to generate a “request for proposal” document.
A general term for the policies, procedures, and tools that an organization uses to protect its data from being stolen or lost. Strong cybersecurity helps protect businesses from modern cyber threats like phishing attacks, malware, APTs, ransomware, DDoS attacks, and the like.
Some cybersecurity tools, such as disaster recovery solutions, can also help prevent data loss from accidental deletions or damage to critical infrastructure.
A security control is a tool, procedure, or other safeguard that helps an organization to detect, avoid, counter, or minimize the impact of a security risk or threat.
The DoD and other government agencies may require businesses to use specific security controls to counteract or protect against certain cyber threats. For example, NIST 800-171 specifies the use of access controls to limit the types of transactions users, processes, and devices can make—and to verify identities before allowing transactions to take place.
Examples of security controls can range from firewalls to antimalware tools, security incident and event management (SIEM) software, employee security awareness training, multi-factor authentication (MFA), and more.
A system security plan is, as noted by SANS, used to “provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.”
In other words, it’s a document that organizations use to describe their current and planned security tools, procedures, and role-based responsibilities for system users. An SSP can be an integral part of security compliance efforts.
A document that details specific tasks that need to be accomplished. It includes any resources required to accomplish the plan, specific milestones for different tasks, and scheduled completion dates.
As noted in the FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide, “The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk-mitigation activities in accordance with the [cloud service provider’s] priorities.”
A database meant for DoD acquisition agents that serves as “the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.”
SPRS supports acquisition professionals from the DoD by providing numerous pieces of information, including delivery scores and quality classifications, procurement risk data and assessments, company exclusion statuses, and the National Security System Restricted List, among other pieces of data.
An enterprise procure-to-pay (P2P) application for the DoD and supporting agencies. PIEE provides a variety of features that help automate the procurement process, reduce risk, and promote collaboration. Some of these features include:
A government cloud service from Microsoft that is meant to “meet the unique and evolving requirements of the United States Federal, State, Local, and Tribal governments, as well as contractors holding or processing data on behalf of the US Government.”
Also referred to as Office 365 Government, this tool is an overlay for the regular Office 365 service that “supports the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a High Impact level.” Users are screened via background checks to help maintain security compliance standards.
An organization that provides managed IT services on the behalf of other people or companies. MSPs can assume responsibility for a variety of IT functions for an organization—often for a fraction of the cost of having to hire an IT team to do the same things internally.
The specific services provided may vary from one MSP to the next, so it’s important to ask MSPs what services they offer before entering into an agreement. When government contractors work with MSPs, the MSP will need to be compliant with CMMC and NIST 800-171 guidelines.
Similar to an MSP, a managed security service provider offers outsourced services. However, their specific focus is typically on the monitoring, maintenance, and management of security tools, procedures, and systems.
MSSPs help organizations identify and close gaps in their security architecture to minimize data breach/loss risks, meet regulatory compliance standards, and keep security tools streamlined to reduce bloat that might interfere with business operations.
A department of the executive branch of the United States (and the largest U.S. government agency). The DoD’s mandate is to “provide the military forces needed to deter war and ensure our nation’s security.”
To this end, the Department of Defense works with numerous organizations to secure technologies, tools, and systems that enhance the effectiveness of America’s armed forces and can help prevent attacks against American interests.
Because of the sensitive nature of the DoD’s work, the department has enacted several data security standards, guidelines, and certifications that their contractors need to be compliant with.
The Office of the Secretary of Defense (OSD) is a part of the DoD that “is responsible for policy development, planning, resource management and program evaluation” for the DoD. The Office of the Under Secretary of Defense for Acquisition and Sustainment is a sub-department of this office specifically responsible for enabling the “Delivery and Sustainment of Secure and Resilient Capabilities to the Warfighter and International Partners Quickly and Cost Effectively.”
The OUSD(A&S) worked alongside key stakeholders in the DoD and the defense industry to develop the CMMC framework. CMMC specifically helps to address key resiliency and safety goals held by the OUSD(A&S).
The organization authorized by the DoD to “be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community.” If you want to achieve accreditation under CMMC, the CMMC-AB is the only DoD-approved and endorsed entity.
A C3PAO is an organization or individual that is authorized by the CMMC-AB to deliver CMMC assessments. C3PAOs need to apply for certification, a process that includes signing a license agreement, passing a background check, and passing at least a level 3 certification under CMMC standards.
An agency within the U.S. Department of Commerce that promotes technology and innovation that helps keep U.S. businesses competitive. It is also one of the USA’s “oldest physical science laboratories,” being founded in 1901.
The NIST often releases special publications that provide guidelines for ensuring basic cybersecurity protections in an ever-evolving threat environment. Examples include NIST 800-171 and NIST 800-53.
A rule within the Code of Federal Regulations (CFR) that is concerned with the “basic safeguarding of covered contractor information systems.” 48 CFR 52.204-21 calls on government contractors to meet 15 distinct security requirements and controls:
These security requirements are in addition to any other security rules that the contractor may be subject to. In other words, if your contract requires you to meet NIST 800-171 and CMMC, 48 CFR 52.204-21 doesn’t replace those requirements—you have to meet them all.
A document published by NIST defining a list of security controls for protecting sensitive information. As the Revision 5 version of the document states, NIST 800-53 “represents a multi-year effort to develop the next generation of security and privacy controls that will be needed” to accomplish objectives like making information systems more penetration-resistant and limiting the damage from cyberattacks.
NIST 800-53 defines 20 different families for security and privacy control:
If you compare this to NIST 800-171 and CMMC, you may notice significant overlap since these publications use many of the same security families. However, NIST 800-53 specifies some families for topics not found in 800-171 or CMMC.
A publication from the International Organization for Standardization (ISO), an organization that is often associated with quality and process management standards like the ISO 9000 series of publications. ISO/IEC 27001 provides requirements for an information security management system (ISMS) to help organizations protect sensitive information.
Although not specific to government security requirements, ISO 27001 standards can help businesses meet certain NIST and CMMC requirements.
A security guidance document from ISO that is more specifically tailored to cybersecurity. The ISO 27032 document provides an overview of cybersecurity, how it relates to other types of security, and a framework for resolving key cybersecurity issues.
The CMMC framework consists of 17 “domains” (which are similar to the “families” used by NIST 800-171) across five separate levels of maturity.
Each of the 17 CMMC domains has a specific set of “capabilities” that an organization needs to demonstrate to satisfy them. The 17 domains and requisite capabilities for each are:
|
Domain |
Capability |
|
Access Control (AC) |
|
|
Asset Management (AM) |
|
|
Audit and Accountability (AU) |
|
|
Awareness and Training (AT) |
|
|
Configuration Management (CM) |
|
|
Identification and Authentication (IA) |
|
|
Incident Response (IR) |
|
|
Maintenance (MA) |
|
|
Media Protection (MP) |
|
|
Personnel Security (PS) |
|
|
Physical Protection (PE) |
|
|
Recovery (RE) |
|
|
Risk Management (RM) |
|
|
Security Assessment (CA) |
|
|
Situational Awareness (SA) |
|
|
Systems and Communications Protection (SC) |
|
|
System and Information Integrity (SI) |
|
Of the 43 capabilities listed in the table, many can be further subdivided into specific practices that contribute to the organization’s overall cybersecurity matureness level.
CMMC processes and practices can be divided into five levels going from simply having “performed” some basic cybersecurity hygiene at the bottom of the pyramid to “optimizing” advanced or progressive cybersecurity measures at the top.
Here’s a graphic from the OUSD(A&C) document on CMMC to illustrate:
Each “level” of CMMC has a different focus:
An organization at level 1 of the CMMC model may be dealing with cyber threats and risks in an ad-hoc, undocumented manner. Additionally, their safeguards consist of only the most basic tools and practices from 48 CFR 52.204-21. So, process maturity isn’t really assessed for level 1 organizations.
At level 2, organizations have documented practices and policies for achieving cybersecurity maturity. The practices used for level 2 contain a part of the practices from NIST 800-171 and other standards to protect CUI.
To achieve level 3 maturity, organizations need to establish and maintain a plan showing how they manage security practices for CMMC implementation. It requires following all of the security requirements of NIST 800-171 to mitigate threats.
At level 4, organizations need to review and measure the effectiveness of their security controls and practices. This level focuses on dealing with APTs and protecting CUI from these threats—which entails using sophisticated threat detection tools like SIEM. It also means adapting to ever-changing threat techniques and tactics.
An extension of the level 4 processes for reviewing, level 5 requires organizations to standardize and optimize their implementation of improved security processes. Organizations at level 5 maturity have deep and sophisticated security and the documented processes to show it.
Each level of CMMC maturity has an increasing number of security practices that organizations must meet to satisfy.
If you’re wondering how to become a CMMC independent contractor or CMMC-certified organization, the process is relatively simple, though time-consuming.
First, determine what level of CMMC you want to certify for. The higher the level of certification you achieve, the more sensitive the type of work the DoD and other government agencies can entrust to you. This may mean being able to bid on work with relatively few competitors or bidding on higher-value contracts because of a limited selection of competitors.
However, aiming for higher-level certifications may also mean having to do more work to set up your cybersecurity measures.
After setting your CMMC maturity goal, take some time to run a gap analysis of your current cybersecurity processes and tools to compare them to your goal. This gap analysis can help you determine what specific improvements you need to make to line up with the security practices needed for cybersecurity maturity certification and help you identify the most efficient way to close any gaps.
It’s important to conduct this analysis before contacting a CMMC accreditation body or a C3PAO. Otherwise, you may not be able to make the required changes in time for the C3PAO’s assessment.
After recording any gaps between your current cybersecurity procedures and your desired CMMC level, implement changes to address those gaps. If not already in place, create a process for documenting those changes, their implementation, and projected/actual impacts.
This documentation can prove to be incredibly useful for proving compliance with CMMC standards (and other data security standards).
Go to the CMMC-AB’s marketplace to find an available C3PAO. From there, the C3PAO will schedule an assessment with one of their certified assessors.
While waiting for the assessment, it can help to re-review security controls in the organization and set up a plan for further improvements.
Once the assessment has been completed, the CMMC-AB will review it with their quality auditors to identify any potential deficiencies in the assessment. After receiving the assessment, you will have 90 days to resolve any issues that the C3PAO or the CMMC-AB have found.
Following the resolution of any issues, you can receive your certification from the CMMC Accreditation Body.
Meeting CMMC standards for the higher levels of implementation can be a challenge—especially since they mean meeting compliance requirements for a variety of security standards like NIST 800-171, 48 CFR 52.204-21, ISO 27001, and others.
Some basic tips for meeting CMMC and NIST compliance requirements include:
There is a lot of overlap between the different parts of NIST 800-171 and CMMC. For example, access control (AC) and identification and authentication (IA) both require organizations to have security tools for identifying users so access can be restricted to authorized personnel.
Finding tools that help verify identities, such as multi-factor authentication tools, can help satisfy both standards.
Asset management tools can be helpful for more than just the AM section of CMMC as well. With a comprehensive list of assets, organizations can identify security gaps and risks more easily. It’s also necessary to have a complete inventory of IT assets to make monitoring solutions more effective, since gaps in the inventory list may mean that some assets won’t be protected correctly.
A CMMC certification isn’t a “one and done” event. It’s a continuous cycle of managing cybersecurity controls, finding gaps, identifying threats, and implementing fixes that minimize risk.
After all, cyber threats are constantly evolving. No security system, regardless of how good it is, will be 100% future-proof. There’s always a new threat just around the corner to surprise the unwary.
So, conducting periodic self-assessments is a must for staying at the top level of CMMC maturity.
Becoming CMMC-compliant can be a complicated and difficult process. This is especially true if you’re trying for a higher-level certification. Achieving level 5 requires following 171 different practices. If any one element is missing from your cybersecurity strategy, you might miss the level of certification you’re aiming for.
So, working with a managed security service provider can be immensely useful. Why? Because, MSSPs often have extensive cybersecurity expertise available to them that can help you identify and close critical security gaps. By closing these gaps, you can bring your organization one step closer to CMMC certification.
Additionally, MSSPs may be able to recommend tools and solutions that allow you to satisfy multiple CMMC and NIST guidelines at once—streamlining security processes and tools to reduce bloat while improving safety and security for sensitive information.
One of the most important things to do for any government-related process is to document everything that you can. C3PAOs will want to review your written processes and records as a part of their maturity assessment.
Documenting processes also makes it easier to onboard new employees and make sure that they’re up to speed with your company’s security requirements. If your processes and procedures are documented, then you can introduce new hires to them and keep every person to a consistent and fair standard.
Besides, if you use a security control for a particular CMMC guideline, but don’t have any documentation to show for it, the DoD and other agencies aren’t likely to take it on faith. They won’t know how the control is being used or if it is being applied consistently.
As of the time of this writing, CMMC is still in version 1.0. However, considering the ever-evolving nature of cybersecurity threats, it is all too likely that this standard will be revised at some point in the future. The specific nature of these revisions is impossible to predict, but they are likely to require organizations that do the “bare minimum” to make frequent changes to satisfy new standards.
So, one of the best things any organization can do is to go above and beyond the minimum requirements for CMMC compliance and use protections that exceed the DoD’s suggestions. This not only helps ensure compliance with standards beyond CMMC, it can also help businesses protect themselves from new cyber threats.
Reach out to the team at Systems X to get started!
