Let’s face it: being a Department of Defense (DoD) contractor can be a challenge sometimes. For example, on the cybersecurity front, you are expected to make sense of many hard-to-memorize acronyms and technical terms. Chief among these are CMMC and NIST SP 800-171. But what is the difference between them, exactly? Let’s take a detailed look.
What Is NIST SP 800-171?
The National Institute of Standards and Technology Special Publication 800-171, or NIST SP 800-171 for short, is a set of recommended requirements designed to protect the confidentiality of controlled unclassified information (CUI) in non-federal systems and organizations.
The 110 security controls outlined in NIST SP 800-171 are organized into the following 14 families (remember them, because we’ll go back to them in a minute):
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Who Needs To Comply With NIST SP 800-171?
Any manufacturer that is part of the supply chain of any federal or state agency must comply with NIST SP 800-171.
In the specific case of DoD contractors, NIST SP 800-171 compliance is mandated by DFARS clause 252.204-7012.
NIST SP 800-171 relies on self-certifications, with contractors submitting their scores to the DoD’s Supplier Performance Risk System (SPRS).
But even if there’s no formal certification program for NIST SP 800-171, the best bet for defense contractors looking to achieve full compliance is to work with an experienced cybersecurity consultant with in-depth knowledge of NIST SP 800-171 implementation.
What Is CMMC?
In previous blog posts, we have talked at length about the Cybersecurity Maturity Model Certification (CMMC). Links to those blogs are provided below, but here’s a quick recap to get you up to speed.
CMMC stands for Cybersecurity Maturity Model Certification, a cybersecurity model created by DoD to ensure that contractors in the Defense Industrial Base (DIB) take the appropriate steps to protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
The CMMC framework comprises three tiers, with each tier building upon its predecessor as follows:
- Level 1 (Foundational): 17 practices. Annual self-assessments
- Level 2 (Advanced): 110 practices aligned with NIST SP 800-171. Triennial third party assessments for critical national security information; annual self-assessment for select programs
- Level 3 (Expert): 110+ practices based on NIST SP 800-172, triennial government-led assessments
The CMMC model distributes security practices across 14 domains that align with the 14 families we saw earlier while reviewing NIST SP 800-171:
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- Systems and Communication Protection (SC)
- System and Information Integrity (SI)
To take a deep dive into CMMC, read our previous blogs, “CMMC Continuous Monitoring: What Is It and Why Is It Important?” and “What Is CMMC Level 2?“
Who Needs To Comply With CMMC?
This is one of the most common questions about CMMC, but the answer is simple: if you are an organization within the DoD supply chain (be it as a prime contractor or subcontractor), then you need to comply with CMMC.
The CMMC level required for a contract will depend on the type of information involved in a given project and will be specified in the solicitation.
CMMC vs NIST SP 800-171
As you can see, CMMC and NIST SP 800-171 are closely interrelated. For example, the 14 domains of CMMC are aligned with the 14 practices of NIST SP 800-171
However, there are some key differences between CMMC and NIST SP 800-171.
Most notably, unlike NIST SP 800-171, the CMMC framework is coupled with a certification program to verify the implementation of practices.
Contact our CMMC Registered Practitioners Today
The CMMC certification process varies according to the compliance level a contractor aspires to achieve. For CMMC Level 1, annual self-assessments are enough. CMMC Level 2 requires annual self-assessments for select programs and triennial assessments by a Third Party Assessment Organization (C3PAO) for critical national security information. Lastly, CMMC level 3 calls for triennial assessments led by government officials.
Another important difference between CMMC and NIST SP 800-171 is that CMMC is a more comprehensive framework. Remember that not only the 110 practices of CMMC level 2 are aligned with NIST SP 800-171, but CMMC level 3 is based on NIST SP 800-172, a series of requirements that supplement and enhance NIST SP 800-171.
The Bottom Line
Regardless of the differences between them, it’s undeniable that both NIST SP 800-171 and CMMC are crucial for DIB contractors.
While CMMC is still in the process of being codified through rulemaking, NIST SP 800-171 compliance is not only currently required by DFARS but also a good way to shore up your cybersecurity in preparation for the CMMC final rule release.
Need To Comply With CMMC or NIST SP 800-171? We Are Here To Help
We know that setting out to achieve CMMC or NIST SP 800-171 compliance can be a daunting process — not to mention resource-extensive and time-consuming.
That’s why we have made it our mission to help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Neworks, LLC is a full Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions. Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
