Wherever you can find information about CMMC, the term “NIST SP 800-171” is likely present. While CMMC is the DoD’s new model for implementing cyber security standards across the Defense Industrial Base, the controls required in each level are adopted from proven NIST standards. It’s vital for contractors working toward CMMC compliance to learn about the standards found in NIST SP 800-171.
What is NIST SP 800-171?
NIST Special Publication 800-171, secondarily titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is one of many cyber security publications written by the National Institute of Standards and Technology. The 113-page document outlines the methodology for developing its security standards and describes the 110 recommended control requirements.
Protecting Controlled Unclassified Information
The publication provides a set of recommended cyber security standards that are useful for any organization. However, these NIST standards were developed specifically to address the protection of federal controlled unclassified information (CUI) processed, stored, and transmitted in support of delivering products and services within the DIB:
- when the CUI is resident in a nonfederal system and organization.
- when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and
- where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.
The Purpose of NIST SP 800-171
According to NIST, the protection of CUI in nonfederal systems (an information system that is not used or operated by an executive agency) is essential to the protection of the U.S. government and the nation as a whole. DoD contractors’ can come across CUI in processes such as providing financial and cloud services, processing healthcare data, or developing communications and weapons systems1.
Between 2009 and 2013, a Chinese businessman and hacker team successfully broke into multiple contractors’ information systems. The hackers focused on retrieving plans for fighter jets F-22 and F-35 as well as a C-17 cargo aircraft in order to then sell the plans to the Chinese government2. This event and others like it served as motivation for the DoD to require contractors to implement effective safeguards.
NIST SP 800-171’s control requirements are well-known and widely accepted3. There are 110 security requirements organized into 14 families for protecting the confidentiality of CUI in contractors’ systems. Each family covers a different general security topic. CMMC language refers to NIST families as “domains.”
Each requirement, or practice, uses the following naming convention:
AC.L1-3.1.1 = [Family/Domain] . [CMMC Level] – [Practice Number]
Click a tab to see a description of each family and its list of control requirements (“Level 1” and “Level 2” categories aid in understanding which practices are required for each CMMC level).
Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.
AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.
Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.
AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.
Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.
AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.
Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.
CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware, System Security Plan) listed in their system inventory.
Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system.
IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.
Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.
IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.
Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.
MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).
Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.
MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.
Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.
PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.
Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).
PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.
Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.
RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.
Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.
CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.
Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.
SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.
Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.
SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.
Source: CMMC Level 2 Assessment Guide
How NIST SP 800-171 and CMMC Align
Before the advent of CMMC, the DoD required that contractors self-attest their compliance with NIST SP 800-171 requirements. The CMMC 2.0 model aims to improve on this system. For example, CMMC Level 2 requires a third-party assessment for certification for some contracts, but its requirements are the same as those found in the NIST publication. Because of this, many contractors who have already self-attested their NIST compliance don’t have to implement new controls to comply with CMMC.
|CMMC Level 1||17/110 NIST SP 800-171 Requirements|
|CMMC Level 2*||110/110 NIST SP 800-171 Requirements|
|CMMC Level 3||110/110 NIST SP 800-171 Requirements||35 NIST SP 800-172 Requirements|
*Note: CMMC 1.0 Level 2 listed ten additional CMMC-specific process requirements to the 110 found in NIST. CMMC 2.0 reversed these additions and mirrors NIST.
While CMMC Level 1 requires 17 of the 110 NIST SP 800-171 controls, Level 2 requirements mirror the NIST publication entirely. Level 3 requirements include all of NIST SP 800-171 and the 35 supplemental requirements found in NIST SP 800-172.
DFARS Clauses and Rules
The Defense Federal Acquisition Regulation Supplement is a collection of acquisitions rules and guidance to facilitate contractors’ supply of goods and services to the DoD. As such, DFARS is the medium by which the DoD announces regulations, policies, and procedures to the DIB.
Several DFARS amendments in recent years include NIST SP 800-171:
DFARS Clause 252.204-7012
Date Published: September 19, 2017
Subject: “Safeguarding Covered Defense Information and Cyber Incident Reporting” — Implementing the Security Requirements of NIST SP 800-171
This rule stated that any contractor that has CUI in their system is required to document and protect that information by following the guidelines in NIST SP 800-171. Self-attestation of NIST requirements was required by the end of December 2017.
DFARS Rule 2019-D041 (DFARS Interim Rule)
Date Published: September 29, 2020
Subject: Assessing Contractor Implementation of Cybersecurity Requirements
Published in tandem with DFARS Clause 252.204-7019, DFARS Rule 2019-D041, also known as the DFARS Interim Rule, announces the phased implementation plan for the CMMC Framework. It also amends DFARS Clause 252.204-7012 to implement the NIST SP 800-171 DoD Assessment Methodology in the acquisition process.
The rule requires contracting officers to take actions prior to awarding a contract on or after November 30, 2020:
- The contracting officer must verify an offeror has a NIST SP 800-171 DoD Assessment on record in the SPRS system before granting the contract.
- The contracting officer must verify an offerer has a CMMC certificate at the level required by the solicitation. (CMMC requirements will only apply to certain new contracts until September 30, 2025 when all contracts are expected to contain CMMC certification requirements.)
DFARS Clause 252.204-7019
Date Published: November 2020
Subject: Notice of NIST SP 800-171 DoD Assessment Requirements
The government issued DFARS Clause 252.204-7019 in November 2020, which requires contractors to submit a basic assessment score (the number of controls compliant out of 110) into the Supplier Performance Risk System (SPRS) demonstrating their current level of compliance with NIST requirements. Also required is a brief summary of a contractor’s system security plan and the date that all requirements are expected to be implemented.
How to Become NIST SP 800-171 Compliant
Get an Assessment
To be considered for a new or renewal contract, contractors must complete a basic assessment and submit the summary level score to the SPRS system.
There are two options to find your SPRS score:
- A self-assessment
- A readiness assessment performed by a cybersecurity service provider
The results of these assessments are referred to as a “gap analysis.”
Remediate Compliance Gaps
Once a contractor performs an assessment and receives a gap analysis, they must remediate the gaps in compliance. Similarly to assessments, there are two main methods to remediate compliance gaps:
- Contractors can implement requirements themselves (with or without the help of documentation templates and one-off solutions)
- Contractors can hire a cybersecurity service provider who offers comprehensive compliance services
Note: Many cybersecurity service providers claim to offer comprehensive compliance, but only operate as advisory consultants, leaving clients to complete remediation largely on their own.
CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance program at a fraction of the cost of DIY options. Choose from five cost-effective packages of 23 turnkey cyber security services, all including POA&M, SSP, and Policies & Standards.
Get a CMMC Certification Assessment
As C3PAOs become available, Level 2 and 3 contractors who require CMMC certification must undergo a third-party assessment. This assessment will assess the contractors’ adherence to NIST SP 800-171 requirements and issue a certification to enable contract eligibility.