NIST

CMMC and NIST 800-171

CMMC and NIST 800-171

Update: The Cybersecurity Maturity Model Certification (CMMC) has recently undergone significant updates, with the Department of Defense publishing the final rule for CMMC 2.0 on October 15, 2024. These changes are crucial for all defense contractors and suppliers, as compliance will soon be mandatory. The new framework outlines three levels of certification: Level 1 for basic cyber hygiene, Level 2 aligned with NIST SP 800-171, and Level 3 requiring alignment with NIST SP 800-172. A phased implementation will begin on December 16, 2024, requiring self-assessments, with full certification requirements rolling out over the next three years.

For more details on these updates and how to prepare, please check out our latest CMMC blog post


Due to the nature of their work and the data they handle, Department of Defense contractors must comply with standards like CMMC and NIST 800-171. Understanding what cybersecurity standards and guidelines apply to you and deciding which requirements to follow can be incredibly challenging. With that in mind, this article will discuss the differences between both sets of standards and talk about which one to choose to ensure that you meet DoD compliance requirements.

An Introduction to CMMC

The Cybersecurity Maturity Model Certification (CMMC) program comes directly from the Department of Defense. The program outlines standards that companies within the Defense Industrial Base (DIB), such as DoD contractors and subcontractors, need to enhance their cybersecurity practices and keep sensitive data safe.

It would also be accurate to call the CMMC program a “framework.” That framework can be broken down into three key components:

  1. A tiered model for classifying an organization’s readiness
  2. Required assessments for CMMC standards and guidelines
  3. CMMC tier requirements for specific government contracts

In 2021, the DoD announced the launch of CMMC 2.0, which replaced the original CMMC guidelines. CMMC 2.0 updates the previous cybersecurity standards to be more in line with modern threat assessments and modifies the program’s tier model.

With CMMC 2.0, the readiness model was reduced to three tiers from the five included in the previous version of the program. The new version also streamlines security requirements for an easier adoption process. CMMC 2.0 encompasses over 130 cybersecurity practices at the highest level, many of which are based on the NIST 800 171 and 172 publications. 

What Is NIST 800-171?

There is a significant overlap between NIST 800-171 and CMC 2.0 because the latter is based on the former. To put that into context, NIST 800-171 is one of the hundreds of NIST publications covering cybersecurity guidelines for specific industries. NIST 800-171 focuses specifically on DoD contractors and subcontractors.

The NIST 800-171 guidelines cover cybersecurity best practices that contractors must follow to opt for DoD contracts. These guidelines encompass 14 requirement families, covering access control, awareness, training, physical protection, and more.

It’s important to note that NIST 800-171 is not the same as the NIST Cybersecurity Framework (NIST CSF). NIST CSF offers a comprehensive set of non-mandatory cybersecurity standards that DoD contractors can choose to adopt, but NIST 800-171 focuses entirely on DoD requirements.

CMMC vs. NIST 800-171 (3 Key Differences)

Although CMMC 2.0 is based on NIST 800-171, the two sets of guidelines aren’t identical. In this section, we’ll break down the significant differences between both sets of standards.

cmmc
CMMC 1.0’s five levels vs CMMC 2.0’s three levels and what they include. (Source)

1. CMMC 2.0 Includes a Level-Based Model

CMMC 2.0 categorizes organizations into three levels. Some DoD contracts may require specific levels, which means your organization needs to meet a set level of criteria to opt for them. Unlike NIST 800-171, the CMMC 2.0 outlines the need for assessments, which means it requires third-party certifications to ensure that your organization meets its standards.

NIST 800-171 doesn’t include any certification requirements. Companies are expected to conduct self-assessments to ensure that they meet cybersecurity criteria. However, since NIST is not a regulatory body, it doesn’t have the authority to enforce its guidelines.

2. CMMC 2.0 Focuses on Controlled Unclassified Information (CUI) Standards

CMMC 2.0 includes over 130 cybersecurity guidelines at the highest level of compliance that organizations can get certified for. Out of those guidelines, 110 map directly to NIST 800-171 standards. More importantly, all of the CMMC 2.0 guidelines focus almost solely on CUI controls.

NIST 800-171 also emphasizes CUI protection. However, the guidelines also outline standards for Non-Federal Organizations (NFO) controls. 

3. CMMC 2.0 Includes Additional Domains Over NIST 800-171 

As mentioned before, NIST 800-171 encompasses 14 requirement families, including standards for access control, personnel security, risk assessment, security assessments, and more. CMMC 2.0 takes all of those families, and it adds three new cybersecurity domains to its standards.

Those domains include the following:

  1. Asset management
  2. Recovery
  3. Situational awareness

CMMC 2.0 places a higher standard on cybersecurity assets and recovery from breaches. Moreover, organizations need to be more aware of the threats they face and how those can impact CUI they might be required to handle.

When Will CMMC 2.0 Come into Effect?

As of right now compliance with CMMC 2.0 is not required till these changes mentioned above are implemented via the rulemaking process are completed. According to the Department, rulemaking will be pursued both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. There will be a public comment period for both of these rules. During this transition period, CMMC 2.0 requirements will not be included in any DoD solicitation, according to the Department.

Choose the Right Cybersecurity Standard for Your Organization

If you work as a DoD contractor or bid for contracts, your business needs to be prepared to handle CUI safely. Both NIST 800-171 and CMMC 2.0 outline the necessary standards that you need to adopt to secure your position as a DoD contractor. Meeting NIST 800-171 guidelines is a great starting place for contractors. 

Are you ready to talk to experts about how to navigate the complexities of DoD cybersecurity guidelines? Book a demo today, and let’s get your organization ready to apply to contracts.

Share