Your Guide to DoD Compliance: NIST 800-171 and CMMC

You might be wondering: “Why is CMMC critical for my business? How does being NIST compliant help?” There are several reasons for a business to try to get a CMMC certification or fulfill NIST standards:

• To Try to Win Government Contracts. Being CMMC compliant is going to be a basic requirement for bidding on government contracts where CUI will be involved. If a business isn’t certified, then it will likely not be able to earn contracts in the future. Companies looking to secure DoD contracts, in particular, will need to satisfy CMMC requirements or risk losing potentially lucrative contracts. 
• To Improve Internal Cybersecurity. Many of CMMC’s requirements can help organizations of all sizes and industries improve their cybersecurity. This can be useful for guarding against the countless threats businesses face from malware, DDoS attacks, corporate espionage, and more.
• To Keep Serving Other Businesses. Even if your company doesn’t do business with the government directly, it could still do business with other organizations that do. In this case, your business clients may insist on you meeting CMMC DoD standards. To remain a vendor for these clients, achieving certification is a must.

What Kinds of Threats Does My Business Face as a DoD Contractor?

If your company works with the DoD, DoD contractors, or any other government agency or contractor, it will likely be a target for malicious actors looking to steal sensitive information or disrupt your operations. Some of the different types of threat actors you may encounter include:

• Corporate Espionage Agents. While illegal, there are some companies out there that may try to steal your organization’s critical data—especially data for your intellectual property (IP)—so they can recreate your services for cheaper or gain other competitive advantages.
• Political Activists (Hacktivists). Some political groups and hacker communities may target businesses working with government agencies. They may do this because they object to some political policy or because targeting such organizations helps them promote their own political agenda. Either way, hacktivism groups can prove to be very disruptive to government agencies, contractors, and their vendors.
• Foreign Espionage. Foreign governments are more likely to target businesses that handle information related to U.S. government organizations or elected individuals—regardless of their industry. For example, Marriott/Starwood, a hotel chain, was once targeted by “a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans” (Source: The New York Times).

Following security compliance standards like NIST 800-171 and CMMC can help businesses to defend against these malicious actors.

Implementing new cybersecurity measures always has some cost attached to it. Even “free” security tools and training resources cost you time and effort to set them up. Effective security solutions may have a high price tag for licensing, installation, maintenance, etc.

With this in mind, what are the benefits of complying with security standards like NIST 800-171 and CMMC? A few basic business benefits include:

Preventing Potential Data Breaches

A data breach is an event where an unauthorized person gets access to sensitive data on a company’s systems or network. When these breaches are large enough, they can become industry headlines that expose the breached company to extensive public ridicule and possible sanctions from government agencies.

According to data from a study by IBM and the Ponemon Institute, the average cost of a data breach is around $3.86 million worldwide. In the USA, that average jumps to about $8.64 million per incident. So, if a company spends $1 million on cybersecurity and stops just one data breach, then they’re ahead by $2.86 to $7.64 million already.

Of course, this is just accounting for the direct costs of remediating a data breach. The indirect costs of a security breach, such as a loss of market share as customers look for alternative services that haven’t been breached by hackers, can massively inflate the impact of a breach.

Being able to prevent data security breaches is a major benefit of following cybersecurity guidelines. However, IT security may call for more than just basic IT compliance.

Getting Opportunities to Work with Government Contractors

Not every business that works with the government can do everything they need to internally. Some contractors may need to work with other vendors to secure crucial supplies or to provide extra services outside their normal expertise.

This creates opportunities for businesses to become subcontractors, creating valuable revenue streams and helping build connections with new clients. So, being compliant with NIST 800-171 or CMMC requirements can be useful.

Companies that work with government agencies and need to subcontract work or find vendors for critical supplies and services often prefer to work with companies that already meet compliance standards. This makes meeting compliance standards a key competitive advantage for earning business from government contractors and vendors.

Building a Reputation for Secure Business Practices

Even when not working for government agencies, some companies simply prefer to partner with vendors that have high security standards.

Third-party vendors can be a crucial security gap. “Supply chain attacks” that target vendors to get at the businesses they serve are a well-known fact among cybersecurity-savvy organizations. So, they may have fairly stringent security requirements for their vendors to avoid such vulnerabilities.

Being able to demonstrate compliance with government-grade security requirements can be a key differentiator when dealing with security-conscious companies.

However, this benefit can extend to B2C companies as well as B2B ones. As information about cybersecurity breaches and cyber threats become more common, consumers may become more concerned with security. Such consumers may research a company’s cybersecurity practices and check for records of past breaches before making purchase decisions.

In this case, having a long track record of cyber safety could help earn the business of concerned consumers.

For example, one study by Berkeley of consumers before and after being made aware of security flaws in popular products and apps showed that “consumers aware of the privacy flaws trust a company less.” In the study, consumers made aware of data privacy issues at Apple perceived the company as “significantly less trustworthy” immediately after the breach—though this perception faded somewhat when people were surveyed a year later.

Trust is one of the hardest resources to acquire, taking a long period of time to build through consistent action and success. However, it’s one of the easiest to lose with a single mistake.

There are a lot of terms related to NIST 800-171 and CMMC that are important to know. Here are some of the most important terms and brief descriptions for each:

Controlled Unclassified Information (CUI)

CUI is defined by the Office of the Undersecretary of Defense Acquisition and Sustainment as:

“Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order.”

In other words, it’s information that isn’t considered classified under any specific government mandate, but still needs to be protected from illicit access. This is often because CUI includes sensitive information that may be useful to foreign intelligence agencies.

Federal Contract Information (FCI)

FCI is a catch-all term for any information that the U.S. government provides or generates under contract that isn’t intended to be released to the public.

Personally Identifiable Information (PII)

A general term for any information that an organization stores or processes that can be used to identify an individual. Many data privacy standards reference PII and the need to protect it from illicit access.

If stolen, PII can be used to commit fraud that can be financially devastating—both for the organization whose data is stolen and the individuals identified through their PII.

Media

In cybersecurity and compliance circles, the word “media” carries a different meaning from the usual. When mentioned in CMMC and NIST documentation, “media” typically is a reference to storage media, meaning assets like USB drives, hard disk drives (HDDs), solid state drives (SSDs), CDs, DVDs, floppy disks—basically anything that can hold data on it for future retrieval.

Defense Federal Acquisition Regulation Supplement (DFARS)

A supplement to the Federal Acquisition Regulation (FAR) that is administered by the Department of Defense. According to the Federal Register, DFARS “contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.”

As one of the security standards that the DoD administers, it is important for companies working with the DoD to meet DFARS requirements.

Defense Industrial Base (DIB)

The defense industrial base is the collection of all the businesses that participate in the national (or global) defense industry. Consisting of hundreds of thousands of companies, the DIB enables research and development for military weapons and IT systems, components, and parts as well as managing the supply chain for various military-related applications.

This is sometimes referred to as the national technology and industrial base (NTIB) when talking about both domestic and global portions of the DIB.

Companies within the DIB are often a target for espionage by foreign agencies looking to learn more about America’s defense industry and capabilities.

Advanced Persistent Threat (APT)

A specific category of cybersecurity threat that attempts to hide its presence in infected systems as it collects sensitive data to send off to an attacker. APTs are often defined by their difficulty to detect and their ability to steal a lot of information over a long period of time.

In some cases, APTs may go undetected for weeks or even months as they infiltrate systems. This makes them extremely dangerous tools.

Request for Proposal (RFP)

A document issued by government agencies to try to get potential vendors to issue bids. This document generally includes various criteria for the project to be completed or work to be done so companies can generate a realistic bid.

Request for Information (RFI)

A document that requests information about a given industry that the government uses to inform its purchase decisions. This document is often used to gather info that is later used to generate a “request for proposal” document.  

Cybersecurity

A general term for the policies, procedures, and tools that an organization uses to protect its data from being stolen or lost. Strong cybersecurity helps protect businesses from modern cyber threats like phishing attacks, malware, APTs, ransomware, DDoS attacks, and the like.

Some cybersecurity tools, such as disaster recovery solutions, can also help prevent data loss from accidental deletions or damage to critical infrastructure.

Security Control

A security control is a tool, procedure, or other safeguard that helps an organization to detect, avoid, counter, or minimize the impact of a security risk or threat.

The DoD and other government agencies may require businesses to use specific security controls to counteract or protect against certain cyber threats. For example, NIST 800-171 specifies the use of access controls to limit the types of transactions users, processes, and devices can make—and to verify identities before allowing transactions to take place.

Examples of security controls can range from firewalls to antimalware tools, security incident and event management (SIEM) software, employee security awareness training, multi-factor authentication (MFA), and more.

System Security Plan (SSP)

A system security plan is, as noted by SANS, used to “provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.” 

In other words, it’s a document that organizations use to describe their current and planned security tools, procedures, and role-based responsibilities for system users. An SSP can be an integral part of security compliance efforts.

Plan of Action and Milestones (POA&M)

A document that details specific tasks that need to be accomplished. It includes any resources required to accomplish the plan, specific milestones for different tasks, and scheduled completion dates. 

As noted in the FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide, “The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk-mitigation activities in accordance with the [cloud service provider’s] priorities.”

Supplier Performance Risk System (SPRS)

A database meant for DoD acquisition agents that serves as “the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.”

SPRS supports acquisition professionals from the DoD by providing numerous pieces of information, including delivery scores and quality classifications, procurement risk data and assessments, company exclusion statuses, and the National Security System Restricted List, among other pieces of data.

Procurement Integrated Enterprise Environment (PIEE)

An enterprise procure-to-pay (P2P) application for the DoD and supporting agencies. PIEE provides a variety of features that help automate the procurement process, reduce risk, and promote collaboration. Some of these features include:

• Purchase Request Data Standard (PRDS)-compliant tools for writing procurement requirements.
• Tools for assisting with the award process for contracts.
• Post-award administration functions.
• Payment management tools.
• Property management solutions.
• The National Industrial Security Program (NISP) Contract Classification System (NCCS).
• Reporting and document retrieval tools.

Microsoft Government Community Cloud

A government cloud service from Microsoft that is meant to “meet the unique and evolving requirements of the United States Federal, State, Local, and Tribal governments, as well as contractors holding or processing data on behalf of the US Government.”

Also referred to as Office 365 Government, this tool is an overlay for the regular Office 365 service that “supports the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a High Impact level.” Users are screened via background checks to help maintain security compliance standards.

Managed Service Provider (MSP)

An organization that provides managed IT services on the behalf of other people or companies. MSPs can assume responsibility for a variety of IT functions for an organization—often for a fraction of the cost of having to hire an IT team to do the same things internally.

The specific services provided may vary from one MSP to the next, so it’s important to ask MSPs what services they offer before entering into an agreement. When government contractors work with MSPs, the MSP will need to be compliant with CMMC and NIST 800-171 guidelines.

Managed Security Service Provider (MSSP)

Similar to an MSP, a managed security service provider offers outsourced services. However, their specific focus is typically on the monitoring, maintenance, and management of security tools, procedures, and systems.

MSSPs help organizations identify and close gaps in their security architecture to minimize data breach/loss risks, meet regulatory compliance standards, and keep security tools streamlined to reduce bloat that might interfere with business operations.

Department of Defense (DoD)

A department of the executive branch of the United States (and the largest U.S. government agency). The DoD’s mandate is to “provide the military forces needed to deter war and ensure our nation’s security.”

To this end, the Department of Defense works with numerous organizations to secure technologies, tools, and systems that enhance the effectiveness of America’s armed forces and can help prevent attacks against American interests.

Because of the sensitive nature of the DoD’s work, the department has enacted several data security standards, guidelines, and certifications that their contractors need to be compliant with.

Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))

The Office of the Secretary of Defense (OSD) is a part of the DoD that “is responsible for policy development, planning, resource management and program evaluation” for the DoD. The Office of the Under Secretary of Defense for Acquisition and Sustainment is a sub-department of this office specifically responsible for enabling the “Delivery and Sustainment of Secure and Resilient Capabilities to the Warfighter and International Partners Quickly and Cost Effectively.”

The OUSD(A&S) worked alongside key stakeholders in the DoD and the defense industry to develop the CMMC framework. CMMC specifically helps to address key resiliency and safety goals held by the OUSD(A&S).

CMMC Accreditation Body (CMMC-AB)

The organization authorized by the DoD to “be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community.” If you want to achieve accreditation under CMMC, the CMMC-AB is the only DoD-approved and endorsed entity.

CMMC Third-Party Assessor Organization (C3PAO)

A C3PAO is an organization or individual that is authorized by the CMMC-AB to deliver CMMC assessments. C3PAOs need to apply for certification, a process that includes signing a license agreement, passing a background check, and passing at least a level 3 certification under CMMC standards.

National Institute of Standards and Technology (NIST)

An agency within the U.S. Department of Commerce that promotes technology and innovation that helps keep U.S. businesses competitive. It is also one of the USA’s “oldest physical science laboratories,” being founded in 1901.

The NIST often releases special publications that provide guidelines for ensuring basic cybersecurity protections in an ever-evolving threat environment. Examples include NIST 800-171 and NIST 800-53.

48 CFR 52.204-21

A rule within the Code of Federal Regulations (CFR) that is concerned with the “basic safeguarding of covered contractor information systems.” 48 CFR 52.204-21 calls on government contractors to meet 15 distinct security requirements and controls:

1. Limit information system access to authorized users, processes acting on behalf of users, or devices;
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
3. Verify and control/limit connections to and use of external information systems;
4. Control information posted or processed on publicly accessible information systems;
5. Identify information system users, processes acting on behalf of users, or devices;
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices;
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
12. Identify, report, and correct information and information system flaws in a timely manner;
13. Provide protection from malicious code at appropriate locations within organizational information systems;
14. Update malicious code protection mechanisms when new releases are available; and
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These security requirements are in addition to any other security rules that the contractor may be subject to. In other words, if your contract requires you to meet NIST 800-171 and CMMC, 48 CFR 52.204-21 doesn’t replace those requirements—you have to meet them all.

NIST 800-53

A document published by NIST defining a list of security controls for protecting sensitive information. As the Revision 5 version of the document states, NIST 800-53 “represents a multi-year effort to develop the next generation of security and privacy controls that will be needed” to accomplish objectives like making information systems more penetration-resistant and limiting the damage from cyberattacks.

NIST 800-53 defines 20 different families for security and privacy control:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Assessment, Authorization, and Monitoring (CA)
• Configuration Management (CM)
• Contingency Planning (CP)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environmental Protection (PE)
• Planning (PL)
• Program Management (PM)
• Personnel Security (PS)
• PII Processing and Transparency (PT)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)

If you compare this to NIST 800-171 and CMMC, you may notice significant overlap since these publications use many of the same security families. However, NIST 800-53 specifies some families for topics not found in 800-171 or CMMC.

ISO 27001

A publication from the International Organization for Standardization (ISO), an organization that is often associated with quality and process management standards like the ISO 9000 series of publications. ISO/IEC 27001 provides requirements for an information security management system (ISMS) to help organizations protect sensitive information.

Although not specific to government security requirements, ISO 27001 standards can help businesses meet certain NIST and CMMC requirements.

ISO 27032

A security guidance document from ISO that is more specifically tailored to cybersecurity. The ISO 27032 document provides an overview of cybersecurity, how it relates to other types of security, and a framework for resolving key cybersecurity issues.

The CMMC framework consists of 17 “domains” (which are similar to the “families” used by NIST 800-171) across five separate levels of maturity.

The 17 Domains of the Cybersecurity Maturity Model Certification

Each of the 17 CMMC domains has a specific set of “capabilities” that an organization needs to demonstrate to satisfy them. The 17 domains and requisite capabilities for each are:

Of the 43 capabilities listed in the table, many can be further subdivided into specific practices that contribute to the organization’s overall cybersecurity matureness level.

From Basic Performance to Optimization: The Five Levels of CMMC

CMMC processes and practices can be divided into five levels going from simply having “performed” some basic cybersecurity hygiene at the bottom of the pyramid to “optimizing” advanced or progressive cybersecurity measures at the top.

Here’s a graphic from the OUSD(A&C) document on CMMC to illustrate:

Each “level” of CMMC has a different focus:

• Level 1. This level focuses on safeguarding FCI
• Level 2. This is a transitional level in progressing towards the cybersecurity maturity needed to protect CUI
• Level 3. Protecting CUI
• Levels 4 and 5. Protecting CUI and reducing risk from APTs

About Level 1 CMMC Maturity

An organization at level 1 of the CMMC model may be dealing with cyber threats and risks in an ad-hoc, undocumented manner. Additionally, their safeguards consist of only the most basic tools and practices from 48 CFR 52.204-21. So, process maturity isn’t really assessed for level 1 organizations.

About Level 2 CMMC Maturity

At level 2, organizations have documented practices and policies for achieving cybersecurity maturity. The practices used for level 2 contain a part of the practices from NIST 800-171 and other standards to protect CUI.

About Level 3 CMMC Maturity

To achieve level 3 maturity, organizations need to establish and maintain a plan showing how they manage security practices for CMMC implementation. It requires following all of the security requirements of NIST 800-171 to mitigate threats.

About Level 4 CMMC Maturity

At level 4, organizations need to review and measure the effectiveness of their security controls and practices. This level focuses on dealing with APTs and protecting CUI from these threats—which entails using sophisticated threat detection tools like SIEM. It also means adapting to ever-changing threat techniques and tactics.

About Level 5 CMMC Maturity

An extension of the level 4 processes for reviewing, level 5 requires organizations to standardize and optimize their implementation of improved security processes. Organizations at level 5 maturity have deep and sophisticated security and the documented processes to show it.

How Many Practices Do I Need to Meet at Each Level?

Each level of CMMC maturity has an increasing number of security practices that organizations must meet to satisfy.

• Level 1: 17 Practices
• Level 2: 72 Practices
• Level 3: 130 Practices
• Level 4: 156 Practices
• Level 5: 171 Practices

Meeting CMMC standards for the higher levels of implementation can be a challenge—especially since they mean meeting compliance requirements for a variety of security standards like NIST 800-171, 48 CFR 52.204-21, ISO 27001, and others.

Some basic tips for meeting CMMC and NIST compliance requirements include:

Check for Security Tools to Meet Multiple Compliance Standards

There is a lot of overlap between the different parts of NIST 800-171 and CMMC. For example, access control (AC) and identification and authentication (IA) both require organizations to have security tools for identifying users so access can be restricted to authorized personnel.

Finding tools that help verify identities, such as multi-factor authentication tools, can help satisfy both standards.

Asset management tools can be helpful for more than just the AM section of CMMC as well. With a comprehensive list of assets, organizations can identify security gaps and risks more easily. It’s also necessary to have a complete inventory of IT assets to make monitoring solutions more effective, since gaps in the inventory list may mean that some assets won’t be protected correctly.

Conduct Periodic Self-Assessments (Even after Getting Certified)

A CMMC certification isn’t a “one and done” event. It’s a continuous cycle of managing cybersecurity controls, finding gaps, identifying threats, and implementing fixes that minimize risk.

After all, cyber threats are constantly evolving. No security system, regardless of how good it is, will be 100% future-proof. There’s always a new threat just around the corner to surprise the unwary.

So, conducting periodic self-assessments is a must for staying at the top level of CMMC maturity.

Consider Partnering with an MSSP

Becoming CMMC-compliant can be a complicated and difficult process. This is especially true if you’re trying for a higher-level certification. Achieving level 5 requires following 171 different practices. If any one element is missing from your cybersecurity strategy, you might miss the level of certification you’re aiming for.

So, working with a managed security service provider can be immensely useful. Why? Because, MSSPs often have extensive cybersecurity expertise available to them that can help you identify and close critical security gaps. By closing these gaps, you can bring your organization one step closer to CMMC certification.

Additionally, MSSPs may be able to recommend tools and solutions that allow you to satisfy multiple CMMC and NIST guidelines at once—streamlining security processes and tools to reduce bloat while improving safety and security for sensitive information.

Document Everything for CMMC Compliance!

One of the most important things to do for any government-related process is to document everything that you can. C3PAOs will want to review your written processes and records as a part of their maturity assessment.

Documenting processes also makes it easier to onboard new employees and make sure that they’re up to speed with your company’s security requirements. If your processes and procedures are documented, then you can introduce new hires to them and keep every person to a consistent and fair standard.

Besides, if you use a security control for a particular CMMC guideline, but don’t have any documentation to show for it, the DoD and other agencies aren’t likely to take it on faith. They won’t know how the control is being used or if it is being applied consistently.

As of the time of this writing, CMMC is still in version 1.0. However, considering the ever-evolving nature of cybersecurity threats, it is all too likely that this standard will be revised at some point in the future. The specific nature of these revisions is impossible to predict, but they are likely to require organizations that do the “bare minimum” to make frequent changes to satisfy new standards.

So, one of the best things any organization can do is to go above and beyond the minimum requirements for CMMC compliance and use protections that exceed the DoD’s suggestions. This not only helps ensure compliance with standards beyond CMMC, it can also help businesses protect themselves from new cyber threats.