The Impact of NIST SP 800-171 Revisions on CMMC Compliance

Impact of NIST SP 800-171 Revisions on CMMC Compliance

Maintaining compliance with the evolving Cybersecurity Maturity Model Certification (CMMC) requirements is crucial for defense contractors and organizations. In this article, we’ll explore the recent revisions of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and their direct impact on CMMC compliance. As a leading provider of cybersecurity solutions, Back To Business I.T. aims to empower defense contractors with the necessary insights to navigate these changes effectively.

Understanding NIST SP 800-171 serves as the baseline for protecting Controlled Unclassified Information (CUI) on nonfederal systems and organizations. These guidelines establish essential security requirements that federal agencies and government contractors must follow when handling sensitive information. CUI encompasses data such as intellectual property, health information, and critical energy infrastructure information. Compliance with NIST SP 800-171 is a prerequisite for defense contractors seeking to secure Department of Defense (DoD) contracts.

The Impact of NIST SP 800-171 Revisions on CMMC Compliance

The revisions in NIST SP 800-171, particularly the upcoming Revision 3, significantly influence the compliance landscape for defense contractors pursuing CMMC certification. Let’s explore how these revisions affect CMMC compliance:

  1. Enhancing Alignment: NIST has aligned the language of SP 800-171 Revision 3 with the closely related SP 800-53 Rev. 5, enabling defense contractors to apply the technical tools and controls outlined in SP 800-53 to achieve CMMC compliance. This alignment streamlines the implementation process and ensures a consistent approach to cybersecurity.
  2. Strengthening Security Requirements: The revised NIST SP 800-171 places increased emphasis on cybersecurity, reflecting the evolving threat landscape and state-level espionage targeting CUI. The new requirements address specific threats to CUI and incorporate state-of-the-practice cybersecurity controls. By adhering to these enhanced security requirements, defense contractors can bolster their cybersecurity posture and better protect sensitive information.
  3. Simplifying Implementation: NIST SP 800-171 Revision 3 introduces clearer instructions and specific criteria, reducing ambiguity and facilitating easier implementation. This streamlining of requirements simplifies the compliance process and enables defense contractors to align their cybersecurity practices with the latest industry standards.
  4. Aligning with Future CMMC Levels: The revisions in NIST SP 800-171 provide a foundation for future CMMC levels beyond Level 3. By incorporating the enhanced security requirements and alignment with SP 800-53 Rev. 5, defense contractors get a head start in preparing for future CMMC levels, ensuring a smooth transition as the certification evolves.

To achieve CMMC compliance, defense contractors must remain up-to-date with the revisions in NIST SP 800-171.

The upcoming Revision 3 brings enhanced alignment, strengthened security requirements, simplified implementation, and a forward-looking approach to future CMMC levels. By effectively understanding and implementing these revisions, defense contractors can ensure their cybersecurity practices meet the rigorous standards required for DoD contracts.

Back To Business I.T. is committed to supporting defense contractors on their journey towards CMMC compliance, and we’re ready to provide tailored cybersecurity solutions. Take the first step today by scheduling a gap analysis with our expert cybersecurity consultants.

Department of Defense prepares rollout of national cybersecurity standards

DoD cybersecurity standards

By Tyler Greenwood, Vice President of Back To Business I.T. (originally published in the Dayton Business Journal)


Cyber incidents like the SolarWinds attack in 2019 and the Colonial Pipeline ransomware attack in 2021 have the U.S. Department of Defense (DoD) taking urgent action to strengthen national cybersecurity regulations.

report released last November found most prime contractors (and their subcontractors) hired by the DoD in the last five years failed to meet minimum cybersecurity standards, putting U.S. national security at risk. Security gaps in the federal supply chain have been well known for years, but attempts to fix them have failed.

Enter: CMMC

In response to heightened security risks, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) program. Its goal is to ensure any company involved in the federal supply chain is protecting controlled unclassified information.

Under CMMC guidelines, more than 300,000 contractors must meet 110 NIST SP 800-171 controls, which the government sees as a reasonable cyber risk management approach. In addition, 80,000 of these organizations must complete a third-party assessment and certification to continue bidding on defense contracts.

When will CMMC certification be required?

The DoD is expected to release a final rule on CMMC framework by March 2023, which means contractors could start seeing requirements in RFPs/RFIs as early as May.

If your business is one of the 80,000 contractors that requires an outside assessment and certification, you may have less than a few months to do so. Failure to achieve compliance before the published rule could mean leaving money on the table and losing the ability to do business with the Department of Defense.

Getting started

If your company is still in the beginning stages of CMMC compliance, the time to act is now. Preparation and implementation of the following requirements can take upwards of 18 months. To get started on compliance, contractors should immediately:

  • Work toward meeting the 110 controls in NIST SP 800-171.
  • Identify their Supplier Performance Risk System (SPRS) score.
  • Create a system security plan (SSP).
  • Document plans of action and milestones (POA&M) to demonstrate how you intend to close any gaps for controls not yet met.

Next steps

If your organization has already started on CMMC compliance, consider conducting a preliminary self-assessment to see if you satisfy requirements. This can provide a range of helpful information to ensure you have everything functioning as expected once you’re ready to formally self-attest or go for your official certification.

If your business wants consultative guidance, including assistance walking you through standards you didn’t meet, explaining why, and offering suggestions on closing those gaps, you might find it beneficial to work with a CMMC Registered Provider Organization (RPO), such as Back To Business I.T.

As a full-service I.T. firm and the region’s leading CMMC-AB RPO, Back To Business I.T. can help you achieve NIST SP 800-171 compliance as well as help you prepare your plan of action and milestones (POA&M) and system security plan (SSP) required for CMMC certification. Learn more at www.backtobusinessit.com/cmmc-readiness.

CMMC 2.0 Updates

cmmc 2.0 updates

WHAT IS CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) was introduced by the U.S. Department of Defense (DoD) on January 31, 2020 to ensure the protection of sensitive unclassified information or controlled unclassified information (CUI).

Originally, the CMMC framework had five levels of cybersecurity maturity (basic to advanced/progressive) and affected more than 300,000 defense contractors. However, on November 4, 2021, the DoD formally announced the CMMC 2.0 framework. This updated version seeks to simplify the model and reduce compliance costs by streamlining the program and scaling back the requirement that all defense contractors obtain third-party certification of their cybersecurity capabilities. Under CMMC 2.0, about 80,000 contractors will have to undergo third-party assessments while contractors at non-critical CUI levels are able to self-certify. Additionally, contractors who are not yet in full compliance with applicable cybersecurity requirements will be permitted to perform less sensitive contracts if they make a Plan of Action & Milestones (POA&M) and commit to completing the remaining requirements within specified dates. These changes are reflected in the diagram below (published by the DoD):

WHAT ARE THE NEW LEVELS?

1️⃣ Level 1 (Foundational) only applies to companies that focus on the protection of federal contact information (FCI). It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems and limit access to authorized users.

2️⃣ Level 2 (Advanced) is for companies working with controlled unclassified information (CUI). It is comparable to the old CMMC Level 3. CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC. Instead, Level 2 aligns with the 14 families of security requirements and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.  Identified within DoD contracts under DFARS 252.204-7012 clause.  DoD is still working to define the “critical” CUI information.

3️⃣ Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on the DoD’s highest priority programs, estimated to be about 600 companies. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

WHEN WILL CERTIFICATION BE REQUIRED?

The DoD is in the rulemaking process and negotiations with the CMMC Accreditation Body, which is expected to take an additional 9-24 months. While these rulemaking efforts are ongoing, the DoD is suspending mandatory CMMC certification, however, it is strongly recommending defense contractors act now and get CMMC assessed/certified to minimize the risk of DIB companies exposing sensitive unclassified information.

HOW TO GET STARTED

Defense contractors looking to start their CMMC compliance journey should look into meeting the 110 controls in NIST 800-171 as soon as possible, as preparation and implementation can take up to 18 months or more.

Not only can we help you achieve NIST-SP 800-171 compliance, but we can also perform a comprehensive gap analysis and determine your current SPRS score.  Then work with you on a plan to resolve areas of non-compliance. As a full-service I.T. firm, we can also implement solutions to address gaps so you are ready for CMMC certification and future audits.

CONCLUSION

CMMC 2.0’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. critical sectors. But it’s clear that the DoD cannot wait for CMMC 2.0 formalized assessments to improve cybersecurity in the Defense Industrial Base. While the CMMC 2.0 requirements work their way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up. If you’re seeking future business with the Department of Defense, it’s important you get started on the compliance path right away.

What is a CMMC RPO?

CMMC rpo

Throughout 2020, the U.S. Department of Defense released details surrounding the Cybersecurity Maturity Model Certification (CMMC) requirements for companies in the defense industrial base (DIB). These new consolidated cybersecurity requirements are driving suppliers and contractors to dedicate time, money, and other resources to strengthen their cybersecurity strategy to meet compliance. Depending on the company’s existing cybersecurity posture, some will have much more work to do than others, and they will all need professional guidance.

It’s no surprise that the market has been recently flooded with consulting firms claiming to be experts in CMMC compliance requirements. Keep in mind that not all third-party consultancies are created equal. As a small business, we understand how important it is to properly vet vendors, and make sure you’re getting the most out of every dollar you assign to projects like these.

The CMMC Accreditation Body (CMMC-AB) has introduced five certifications and authorizations to differentiate entities offering CMMC compliance services. These are:

  • Certified Third-Party Assessor Organizations (C3PAO)
  • Registered Provider Organizations (RPO)
  • Registered Practitioners (RP)
  • Certified Professionals (CP)
  • Certified Assessors (CA)

We’re happy to provide some details regarding the RPO authorization, and what is involved.

RPOs like The Greentree Group are authorized by the CMMC AB to provide consulting services to government contractors and other companies in preparation for their CMMC assessments. We can also assist during these assessments if there is a finding that will prevent you from attaining your desired CMMC maturity level. However, we do not conduct certification assessments, and we do not grant certified status. Only C3PAOs are equipped to conduct these certification assessments. As an RPO, we are here to provide CMMC guidance and support to companies impacted by these new regulations. It’s important to remember that C3PAOs cannot provide guidance unless they’re also certified as an RPO – and even then, they cannot offer the same services (assessment + guidance) to the same company.


WHAT GOES INTO BECOMING AN RPO

A company must do the following to become certified as a CMMC RPO:

  1. Be an entity owned by a “US person”.
  2. Be registered with the CMMC-AB in order to receive authorization to use the official logo distributed by the CMMC-AB.
  3. Sign an RPO agreement, reflecting a commitment to comply with the CMMC-AB Code of Professional Conduct.
  4. Clear an organizational background check.
  5. Have at least one Registered Practitioner (RP) on their team. An RP is specially trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” at all times.
  6. Pay an annual registration fee.

These requirements put in place by the CMMC-AB are helpful for companies seeking certification because they provide a measure of legitimacy. As with any new regulations or rules, there will be many companies claiming to be experts in the field, and competing for your business. By selecting a company that has attained its RPO authorization, businesses can be confident that their choice is well suited for the job and committed to CMMC standards.


CHOOSING THE RIGHT CMMC RPO FOR YOUR COMPANY

RPO authorization is an important consideration when choosing a provider- but there are other things you should keep in mind. Other important questions you may want to ask –

  • How much experience does the RPO have in cybersecurity and maintaining compliance in highly regulated spaces?
    • The Greentree Group has supported both DoD programs and DIB clients with obtaining and maintaining required cybersecurity compliance for over a decade
  • Do they have experience with other frameworks such as CIS CSC, NIST SP 800-53, NIST SP 800-171, and ISO 27001?
    • Greentree has cybersecurity experts for the cybersecurity framework you require
  • How knowledgeable are they about the defense contracting environment?
    • Greentree’s cybersecurity team has a combined 50+ years of defense contracting experience
  • How many years have they been in business? Are they well-established?
    • The Greentree Group has been in business for 26 years with an established reputation for excellence in customer support
  • How easy is it for the provider to scale efforts appropriate to your business?
    • We support clients of all different sizes and architectures, as your business grows our support for your cybersecurity needs can grow with you

Note: Back To Business I.T. is a service brand of The Greentree Group.


WHY IS THE RPO AUTHORIZATION IMPORTANT FOR YOUR BUSINESS?

The new CMMC-AB authorization process for RPOs is an effective way for companies to sift through the increasing chatter in the CMMC consultancy space. The RPO certification signals that a consulting firm is invested in the CMMC space, and has committed to cybersecurity best practices. By visiting the CMMC marketplace, companies can look for certified RPOs in their area and reach out on their own terms.

We are authorized by the CMMC-AB as an RPO, and ready to guide your business along in the CMMC journey. Are you ready to learn more? Fill out this form and one of our cybersecurity experts will be happy to provide more information about CMMC compliance.

Skip to content