From NIST 800-171 to CMMC

Last week, we looked at a primer on compliance. This week, we’d like to take a deeper dive into one of the more intensive compliance requirements: Cybersecurity Maturity Model Certification, or CMMC.

(Check out last week’s general overview here.)

Stemming from NIST 800-171, CMMC is not yet in full swing as of the time of this writing. While originally scheduled to be completely integrated in 2020, COVID-19 and other factors have delayed the program’s rollout. Still, CMMC’s arrival is imminent. The Department of Defense has most recently reported that CMMC as a requirement will begin to occupy increasing amounts of defense contracts over the next several fiscal years, eventually phasing out any NIST 800-171 compliance. This means that while the two standards will co-exist for several years, the amount of award decisions based on CMMC compliance will consistently increase until no contracts are awarded to NIST 800-171 only (i.e. non-CMMC certified) bidders.

While we won’t take a deep dive into NIST 800-171 in this article, more can be found in our blog post from May.

However, as NIST 800-171 directly precedes CMMC, there are many similarities and much of the criteria is the same. For example, the CMMC Accreditation Body (https://www.cmmcab.org/) recommends the starting point for CMMC compliance is to become NIST 800-171 compliant.

Like NIST 800-171, CMMC addresses physical and technological security for federal contract information (FCI) and controlled unclassified information (CUI). This applies primarily (although is not strictly limited) to DoD contractors.

One of the biggest issues with preparation for CMMC from NIST 800-171 stems from the self-assessments which were acceptable for NIST 800-171 compliance. Quite simply, many businesses failed to truly complete these assessments, whether due to malintent, lack of knowledge, or some combination thereof.

CMMC is expected to be categorized into five levels of certification:

Level 1 concentrates on basic cyber- and physical security practices. This level of certification requires that these starting practices are implemented and maintained. This level of security practice is indicated as basic cyber hygiene.

Level 2 includes Level 1 practices but begins building process requirements into the architecture. Considered the first “step” into the maturity model, level 2 includes requirements for documentation of the functional processes and practices so that these may be performed by an organization’s staffers in a repeatable fashion. This level is also called intermediate cyber hygiene. Level 2 is considered a transition level for those organizations looking to achieve level 3.

Level 3 builds upon level 2 by increasing threat protection and including a level of planning to demonstrate management of process implementation. This level is basically equivalent to current NIST 800-171 compliance and is the minimum level sufficient to transmit and store CUI. This level is referred to as good cyber hygiene.

Level 4 goes above current NIST 800-171 requirements by requiring demonstration of adaptability in processes, meaning they are able to overcome advanced persistent threats (APTs) by changing techniques and procedures. This level is considered proactive.

Level 5 increases the levels of sophistication of level 4 by optimizing adaptability. This level is considered advanced or progressive.

The level of certification required for each contract will be dictated by the sensitivity of the information being transmitted or stored by the contractor, per contract, with a minimum of level 3 for CUI.

At Certified CIO, we do not offer auditing services for CMMC. Unlike with NIST 800-171, an independent third party assessment will be required for the auditing process with CMMC. However, we can help you prepare for these costly audits by aligning your business first with NIST 800-171 and then advising as more information becomes available about what may change for CMMC. We aid this process using alignment software alongside guidance from industry partners who keep a close eye on what’s coming.

We can help with providing:

Alignment Assessment
Compliance Consulting
Remediation Plans and Budgeting
Integration Projects
Monitoring and Maintenance

Not sure what you need? Don’t yet have a trusted partner as you tread into the upcoming compliance requirements? CONTACT US and our compliance experts can get you headed in the right direction!

Tabbie Coulter

great professional service and very timely!! would highly recommend for your IT needs.

Jessie Palma

I love this company. They have soo much talent there and they always fix it so quickly! They are very professional and courteous! I've gotten to know some of them because we treat each other like human beings :) It's like having an extended family.

Fernando Perez

Awesome management! Great company.

Joseph Silbaugh

I needed to add an older laptop to the business account for my use on the road. CIO did everything remotely for me. It made the task so easy. They updated everything, added my office 365, my 3 emails and checked everything. Great job, quick and efficiently no stress. I recommend them highly

Kay Westerhold

Always a quick response. Issue solved and can continue on with the task every time. Great job CCIO!!

Bill Fissell

The service was prompt, friendly and knowledgeable. Could not ask for more than that.

Kevin Slack

Upgraded our router with Comcast. It did not go smoothly until Steve Plumlee got involved and got everything working well. When Steve is working on our IT issues, they get resolved. Amen.

Hickory Falls Family Entertainment Center

Thanks for going more in-depth with your engineers and investigating solutions and resolving some of our email challenges.

Bill Moorman

Certified CIO is a smart, professional and friendly team of engineers to work with. I am a bright person but computers can make me feel incompetent. The team at Certified CIO never allows you to feel awkward even asking the most basic questions. You have been a lifeline many times. Thanks for your support.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Better IT for Business. Call Today! (717) 340-6000 (443) 283-0666

From NIST 800-171 to CMMC

Share This Story, Choose Your Platform!

Better IT for Business. Call Today!
(717) 340-6000
(443) 283-0666