Appropriate documentation that shows you meet data security requirements is the first step towards passing a security audit. You can use a variety of methods to jump-start your National Institute of Standards and Technology (NIST) Special Publication 800-171 and Cybersecurity Maturity Model Certification (CMMC) audit readiness. These include security controls, metrics, policies, procedures, and standards, which help contractors and subcontractors throughout the U.S. Defense Industrial Base (DIB) solve the problems caused by weak or non-existent security documentation of information security management.
Our professionally-written security solutions are affordable, editable, and scalable. Schedule a free consultation today with our cyber security experts if you need to be DFARS 252.204-7012 compliant. Contact Beryllium InfoSec Collaborative today at 763-546-8354.
NIST Special Publication (SP) 800-171 is a NIST publication that provides the recommended information security policies for protecting the confidentiality of controlled unclassified information (CUI) for federal agencies in the US government. CUI is any unclassified information that requires protection or disseminating controls by law, regulation, or government-wide policy.
Defense contractors must implement NIST SP 800-171 requirements to demonstrate that they provide adequate risk management for federal information systems. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 in defense contracts specifies requirements for access control such as password guidelines. User authentication and other forms of privacy controls. Implementing NIST guidelines is a requirement for all manufacturers who provide parts for state and federal agencies, including the Department of Defense (DoD), General Services Administration (GSA), National Aeronautics and Space Administration (NASA).
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing information security across the U.S. DIB, which currently includes over approximately 300,000 companies in its supply chain. It’s the DoD's response to the significant compromises of sensitive defense information located on the information systems of government contractors. The DoD released version 1.02 of the CMMC in March, 2020, which was a highly anticipated methodology in the cyber security community. The Federally Funded Research and Development Centers (FFRDC), Affiliated Research Centers (ARC), and industry experts provided significant input for this version of the CMMC.
Prior to the release of the CMMC, contractors were responsible for self-assessing the implementation, monitoring, and managing security programs, including any sensitive DoD information stored on those systems or transmitted by them. However, CMMC requires certified third parties (C3PAOs) to assess contractor compliance, based on the level of maturity required, based on the data they handle, allowing them to develop an always evolving response to new threats as they too evolve.
Many private sector stakeholders believe that CMMC compliance and NIST 800-171 compliance are the same, which isn’t true. The CMMC standard includes five levels of certification, and the higher levels include requirements from frameworks other than NIST 800-171. These levels describe an organization’s reliability and maturity with respect to the protection of sensitive government information residing on its information systems. CMMC certification levels have a tiered hierarchy such that each level requires the organization to meet all of the requirements of the level below it in addition to the new requirements for that level.
Requires the organization to perform “basic cyber hygiene practices” such as running antivirus software and regularly ensuring employees change their passwords. This benchmark helps contractors protect Federal Contract Information (FCI), which is information generated for or provided by the government under a contract to deliver a product or service for the government. FCI doesn’t include information intended for public use or certain transactional information.
Serves as a transition step to CMMC Level 3, includes the requirements of Level 1 and adds the requirement to document “intermediate cyber hygiene practices” that protect CUI. These practices implement some of NIST SP 800-171 Revision 2 (NIST 800-171 R2) security requirements.
Includes the requirements of Level 2 and adds the requirement to implement "good cyber hygiene" practices to protect CUI, including all the NIST 800-171 R2 security requirements. It also requires the implementation of 20 additional CMMC requirements.
Includes the requirements of Level 3 and adds the requirement to implement processes for reviewing and measuring the effectiveness of those practices. Level 4 also requires the organization to establish additional practices that detect attackers’ changing tactics, including techniques and procedures of advanced persistent threats (APTs). These threats are adversaries that possess the expertise and resources needed to employ multiple attack vectors against a target.
Includes the requirements of Level 4 and adds the requirement to implement standardized and optimized processes across the organization. It also requires additional practices to improve the organization’s ability to detect and respond to APTs.
DoD contractors need to learn the CMMC’s technical requirements immediately so they can prepare for their eventual CMMC certification and long-term agility with respect to their security posture. The federal government plans to release updated details on how third parties will conduct CMMC audits and how contractors can challenge those assessments. Contractors who begin evaluating their current risk management strategy for compliance gaps now will be in a favorable position to navigate the process for meeting mandatory CMMC requirements once the government finalizes these details. Organizations seeking Certification (OSCs) and contractors can remain current on the certification process by visiting the CMMC FAQ maintained by the Office of the Under Secretary of Defense for Acquisition & Sustainment, as well as the website for the CMMC Accreditation Body (CMMC-AB) The NIST's website at nist.gov also contains valuable information for DoD contractors.
All DoD contractors will eventually need CMMC certification to acquire new contracts. This requirement will apply to all suppliers at all tiers in the supply chain, including commercial item contractors, foreign suppliers, and small businesses. The DoD will coordinate the process for developing procedures to certify independent Third-Party Assessment Organizations (CP3AOs) with the CMMC Accreditation Body (CMMC-AB). CP3AOs will eventually evaluate the CMMC levels of DoD contractors.
The DoD will begin including minimum certification requirements in its requests for information (RFIs) in early 2021. The DoD has also indicated it may require a higher CMMC level for its prime suppliers than subcontractors on the same contract, which could complicate the process for implementing CMMC.
All of the contractors in the DIB will eventually need certification to continue competing for DoD contracts. DoD contractors should begin preparing for CMMC certification now, using the CMMC Assessment Guides for CMMC Level 1 and CMMC Level 3, as the DoD establishes the procedures for creating accreditors and accreditations. Early preparation of a contractor's security measures could provide a more efficient assessment with a more positive result.
The first steps contractors should take in developing their system security plan (SSP) include clearly documenting their system security practices and procedures that already comply with CMMC requirements. The next step is to plan and implement the additional practices and procedures needed to obtain the highest possible certification. Prime contractors should also start working with the subcontractors in their supply chain to help them develop their compliance programs where needed or review the ones already in place.
The key actions for contractors who need CMMC include engaging with agencies, following the development of assessment challenges, and retaining agility towards those changes.
Affected contractors should engage with agencies to review the RFIs and RFPs of interest to determine the minimum CMMC requirements, once available. This practice ensures the required CMMC level isn’t excessively burdensome to the contractor and provides the clarity needed to implement that level throughout the supply chain. Contractors should also provide the DoD with feedback during the question and answer process for RFPs to ensure outstanding issues are resolved to their satisfaction. Contractors have the option of filing a pre-award protest, but the GAO and Court of Federal Claim generally defer to the DoD on matters of national security.
Changes to the cybersecurity risk assessment process are one of the most significant challenges for DoD contractors. In particular, they need to know the due process that will be available to correct an erroneous audit result. The CMMC doesn’t currently establish a right of appeal for contractors, although the DoD has indicated this will occur. Contractors should provide DoD with feedback on this issue to ensure adequate due process.
Maintaining agility towards CMMC certification means that contractors shouldn’t view their CMMC compliance as complete once they receive their initial certification. The DoD has repeatedly stated that CMMC is only a baseline for changing a contractor’s security posture since contractors must also perform continuous monitoring. Contractors who remain flexible in this regard will be in the best position to compete for future contracts.
Handle Controlled Unclassified Information (CUI)? If so, avoid fines or the opportunity to be awarded new DoD contract opportunities by implementing the controls of NIST 800-171.
Learn how CUICK TRAC™ — a private hosted, virtual enclave — can help your organization get DFARS/NIST 800-171 compliant or schedule a free consultation with our experts if you need to be DFARS 252.204-7012 compliant.