Home | Steps to Compliance | Understanding CMMC

minutes remaining

Wherever you can find information about CMMC, the term “NIST SP 800-171” is likely present. While CMMC is the DoD’s new model for implementing cyber security standards across the Defense Industrial Base, the controls required in each level are adopted from proven NIST standards. It’s vital for contractors working toward CMMC compliance to learn about the standards found in NIST SP 800-171.

What is NIST SP 800-171?

NIST Special Publication 800-171, secondarily titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is one of many cyber security publications written by the National Institute of Standards and Technology. The 113-page document outlines the methodology for developing its security standards and describes the 110 recommended control requirements.

Reference: NIST Special Publication 800-171

Protecting Controlled Unclassified Information

The publication provides a set of recommended cyber security standards that are useful for any organization. However, these NIST standards were developed specifically to address the protection of federal controlled unclassified information (CUI) processed, stored, and transmitted in support of delivering products and services within the DIB:

when the CUI is resident in a nonfederal system and organization.
when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and
where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

The Purpose of NIST SP 800-171

According to NIST, the protection of CUI in nonfederal systems (an information system that is not used or operated by an executive agency) is essential to the protection of the U.S. government and the nation as a whole. DoD contractors’ can come across CUI in processes such as providing financial and cloud services, processing healthcare data, or developing communications and weapons systems¹.

Between 2009 and 2013, a Chinese businessman and hacker team successfully broke into multiple contractors’ information systems. The hackers focused on retrieving plans for fighter jets F-22 and F-35 as well as a C-17 cargo aircraft in order to then sell the plans to the Chinese government². This event and others like it served as motivation for the DoD to require contractors to implement effective safeguards.

Control Requirements

NIST SP 800-171’s control requirements are well-known and widely accepted^³. There are 110 security requirements organized into 14 families for protecting the confidentiality of CUI in contractors’ systems. Each family covers a different general security topic. CMMC language refers to NIST families as “domains.”

Each requirement, or practice, uses the following naming convention:
AC.L1-3.1.1 = [Family/Domain] . [CMMC Level] – [Practice Number]

Click a tab to see a description of each family and its list of control requirements (“Level 1” and “Level 2” categories aid in understanding which practices are required for each CMMC level).

Access Control (AC)

Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.

AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.

CMMC Level 1 Practices

AC.L1-3.1.1 – Authorized Access Control
AC.L1-3.1.2 – Transaction & Function Control
AC.L1-3.1.20 – External Connections
AC.L1-3.1.22 – Control Public Information

CMMC Level 2 Practices

AT.L2-3.1.3 – Control CUI Flow
AC.L2-3.1.4 – Separation of Duties
AC.L2-3.1.5 – Least Privilege
AC.L2-3.1.6 – Non-Privileged Account Use
AC.L2-3.1.7 – Privileged Functions
AC.L2-3.1.8 – Unsuccessful Logon Attempts
AC.L2-3.1.9 – Privacy & Security Notices
AC.L2-3.1.10 – Session Lock
AC.L2-3.1.11 – Session Termination
AC.L2-3.1.12 – Control Remote Access
AC.L2-3.1.13 – Remote Access Confidentiality
AC.L2-3.1.14 – Remote Access Routing
AC.L2-3.1.15 – Privileged Remote Access
AC.L2-3.1.16 – Wireless Access Authorization
AC.L2-3.1.17 – Wireless Access Protection
AC.L2-3.1.18 – Mobile Device Connection
AC.L2-3.1.19 – Encrypt CUI on Mobile
AC.L2-3.1.21 – Portable Storage Use

Awareness and Training (AT)

Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.

AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.

CMMC Level 1 Practices

No Level 1 AT Practices

CMMC Level 2 Practices

AT.L2-3.2.1 – Role-Based Risk Awareness
AT.L2-3.2.2 – Role-Based Training
AT.L2-3.2.3 – Insider Threat Awareness

Audit and Accountability (AU)

Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.

AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.

CMMC Level 1 Practices

No Level 1 AU Practices

CMMC Level 2 Practices

AU.L2-3.3.1 – System Auditing
AU.L2-3.3.2 – User Accountability
AU.L2-3.3.3 – Even Review
AU.L2-3.3.4 – Audit Failure Alerting
AU.L2-3.3.5 – Audit Correlation
AU.L2-3.3.6 – Reduction & Reporting
AU.L2-3.3.7 – Authoritative Time Source
AU.L2-3.3.8 – Audit Protection
AU.L2-3.3.9 – Audit Management

Configuration Management (CM)

Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.

CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware, System Security Plan) listed in their system inventory.

CMMC Level 1 Practices

No Level 1 CM Practices

CMMC Level 2 Practices

CM.L2-3.4.1 – System Baselining
CM.L2-3.4.2 – Security Configuration Enforcement
CM.L2-3.4.3 – System Change Management
CM.L2-3.4.4 – Security Impact Analysis
CM.L2-3.4.5 – Access Restrictions for Change
CM.L2-3.4.6 – Least Functionality
CM.L2-3.4.7 – Nonessential Functionality
CM.L2-3.4.8 – Application Execution Policy
CM.L2-3.4.9 – User-Installed Software

Identification and Authentication (IA)

Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system.

IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.

CMMC Level 1 Practices

IA.L1-3.5.1 – Identification
IA.L1-3.5.2 – Authentication

CMMC Level 2 Practices

IA.L2-3.5.3 – Multifactor Authentication
IA.L2-3.5.4 – Replay-Resistant Authentication
IA.L2-3.5.5 – Identifier Reuse
IA.L2-3.5.6 – Identifier Handling
IA.L2-3.5.7 – Password Complexity
IA.L2-3.5.8 – Password Reuse
IA.L2-3.5.9 – Temporary Passwords
IA.L2-3.5.10 – Cryptographically-Protected Passwords
IA.L2-3.5.11 – Obscure Feedback

Incident Response (IR)

Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.

IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.

CMMC Level 1 Practices

No Level 1 IR Practices

CMMC Level 2 Practices

IR.L2-3.6.1 – Incident Handling
IR.L2-3.6.2 – Incident Reporting
IR.L2-3.6.3 – Incident Response Testing

Maintenance (MA)

Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.

MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).

CMMC Level 1 Practices

No Level 1 MA Practices

CMMC Level 2 Practices

MA.L2-3.7.1 – Perform Maintenance
MA.L2-3.7.2 – System Maintenance Control
MA.L2-3.7.3 – Equipment Sanitization
MA.L2-3.7.4 – Media Inspection
MA.L2-3.7.5 – Nonlocal Maintenance
MA.L2-3.7.6 – Maintenance Personnel

Media Protection (MP)

Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.

MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.

CMMC Level 1 Practices

MP.L1-3.8.3 – Media Disposal

CMMC Level 2 Practices

MP.L2-3.8.1 – Media Protection
MP.L2-3.8.2 – Media Access
MP.L2-3.8.4 – Media Markings
MP.L2-3.8.5 – Media Accountability
MP.L2-3.8.6 – Portable Storage Encryption
MP.L2-3.8.7 – Removeable Media
MP.L2-3.8.8 – Shared Media
MP.L2-3.8.9 – Protect Backups

Personnel Security (PS)

Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.

PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.

CMMC Level 1 Practices

No Level 1 PS Practices

CMMC Level 2 Practices

PS.L2-3.9.1 – Screen Individuals
PS.L2-3.9.2 – Personnel Actions

Physical Protection (PE)

Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).

PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.

CMMC Level 1 Practices

PE.L1-3.10.1 – Limit Physical Access
PE.L1-3.10.3 – Escort Visitors
PE.L1-3.10.4 – Physical Access Logs
PE.L1-3.10.5 – Manage Physical Access

CMMC Level 2 Practices

PE.L2-3.10.2 – Monitor Facility
PE.L2-3.10.6 – Alternative Work Sites

Risk Assessment (RA)

Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.

RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.

CMMC Level 1 Practices

No Level 1 RA Practices

CMMC Level 2 Practices

RA.L2-3.11.1 – Risk Assessments
RA.L2-3.11.2 – Vulnerability Scan
RA.L2-3.11.3 – Vulnerability Remediation

Security Assessment (CA)

Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.

CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.

CMMC Level 1 Practices

No Level 1 CA Practices

CMMC Level 2 Practices

CA.L2-3.12.1 – Security Control Assessment
CA.L2-3.12.2 – Plan of Action
CA.L2-3.12.3 – Security Control Monitoring
CA.L2-3.12.4 – System Security Plan

System and Communications Protection (SC)

Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.

SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.

CMMC Level 1 Practices

SC.L1-3.13.1 – Boundary Protection
SC.L1-3.13.5 – Public-Access System Separation

CMMC Level 2 Practices

SC.L2-3.13.2 – Security Engineering
SC.L2-3.13.3 – Role Separation
SC.L2-3.13.4 – Shared Resource Control
SC.L2-3.13.6 – Network Communication by Exception
SC.L2-3.13.7 – Split Tunneling
SC.L2-3.13.8 – Data in Transit
SC.L2-3.13.9 – Connections Termination
SC.L2-3.13.10 – Key Management
SC.L2-3.13.11 – CUI Encryption
SC.L2-3.13.12 – Collaborative Device Control
SC.L2-3.13.13 – Mobile Code
SC.L2-3.13.14 – Voice Over Internet Protocol
SC.L2-3.13.15 – Communications Authenticity
SC.L2-3.13.16 – Data at Rest

System and Information Integrity (SI)

Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.

SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.

CMMC Level 1 Practices

SI.L1-3.14.1 – Flaw Remediation
SI.L1-3.14.2 – Malicious Code Protection
SI.L1-3.14.4 – Update Malicious Code Protection
SI.L1-3.14.5 – System & File Scanning

CMMC Level 2 Practices

SI.L2-3.14.3 – Security Alerts & Advisories
SI.L2-3.14.6 – Monitor Communications for Attacks
SI.L2-3.14.7 – Identify Unauthorized Use

Source: CMMC Level 2 Assessment Guide

How NIST SP 800-171 and CMMC Align

Before the advent of CMMC, the DoD required that contractors self-attest their compliance with NIST SP 800-171 requirements. The CMMC 2.0 model aims to improve on this system. For example, CMMC Level 2 requires a third-party assessment for certification for some contracts, but its requirements are the same as those found in the NIST publication. Because of this, many contractors who have already self-attested their NIST compliance don’t have to implement new controls to comply with CMMC.

CMMC Level 1	17/110 NIST SP 800-171 Requirements
CMMC Level 2*	110/110 NIST SP 800-171 Requirements
CMMC Level 3	110/110 NIST SP 800-171 Requirements	35 NIST SP 800-172 Requirements

*Note: CMMC 1.0 Level 2 listed ten additional CMMC-specific process requirements to the 110 found in NIST. CMMC 2.0 reversed these additions and mirrors NIST.

While CMMC Level 1 requires 17 of the 110 NIST SP 800-171 controls, Level 2 requirements mirror the NIST publication entirely. Level 3 requirements include all of NIST SP 800-171 and the 35 supplemental requirements found in NIST SP 800-172.

DFARS Clauses and Rules

The Defense Federal Acquisition Regulation Supplement is a collection of acquisitions rules and guidance to facilitate contractors’ supply of goods and services to the DoD. As such, DFARS is the medium by which the DoD announces regulations, policies, and procedures to the DIB.

Several DFARS amendments in recent years include NIST SP 800-171:

DFARS Clause 252.204-7012

Date Published: September 19, 2017

Subject: “Safeguarding Covered Defense Information and Cyber Incident Reporting” — Implementing the Security Requirements of NIST SP 800-171

This rule stated that any contractor that has CUI in their system is required to document and protect that information by following the guidelines in NIST SP 800-171. Self-attestation of NIST requirements was required by the end of December 2017.

Reference: DFARS Clause 252.204-7012

Reference: Guidance for Selected Elements of DFARS Clause 252.204-7012

DFARS Rule 2019-D041 (DFARS Interim Rule)

Date Published: September 29, 2020

Subject: Assessing Contractor Implementation of Cybersecurity Requirements

Published in tandem with DFARS Clause 252.204-7019, DFARS Rule 2019-D041, also known as the DFARS Interim Rule, announces the phased implementation plan for the CMMC Framework. It also amends DFARS Clause 252.204-7012 to implement the NIST SP 800-171 DoD Assessment Methodology in the acquisition process.

The rule requires contracting officers to take actions prior to awarding a contract on or after November 30, 2020:

The contracting officer must verify an offeror has a NIST SP 800-171 DoD Assessment on record in the SPRS system before granting the contract.
The contracting officer must verify an offerer has a CMMC certificate at the level required by the solicitation. (CMMC requirements will only apply to certain new contracts until September 30, 2025 when all contracts are expected to contain CMMC certification requirements.)

Reference: DFARS Rule 2019-D041

Reference: DFARS Rule 2019-D041 Executive Summary

DFARS Clause 252.204-7019

Date Published: November 2020

Subject: Notice of NIST SP 800-171 DoD Assessment Requirements

The government issued DFARS Clause 252.204-7019 in November 2020, which requires contractors to submit a basic assessment score (the number of controls compliant out of 110) into the Supplier Performance Risk System (SPRS) demonstrating their current level of compliance with NIST requirements. Also required is a brief summary of a contractor’s system security plan and the date that all requirements are expected to be implemented.

Reference: DFARS Clause 252.204-7019

How to Become NIST SP 800-171 Compliant

Get an Assessment

To be considered for a new or renewal contract, contractors must complete a basic assessment and submit the summary level score to the SPRS system.

There are two options to find your SPRS score:

A self-assessment
A readiness assessment performed by a cybersecurity service provider

The results of these assessments are referred to as a “gap analysis.”

Free Tool: NIST SP 800-171 Self-Assessment Tool

Talk to CMMC Experts About a Readiness Assessment

Remediate Compliance Gaps

Once a contractor performs an assessment and receives a gap analysis, they must remediate the gaps in compliance. Similarly to assessments, there are two main methods to remediate compliance gaps:

Contractors can implement requirements themselves (with or without the help of documentation templates and one-off solutions)
Contractors can hire a cybersecurity service provider who offers comprehensive compliance services

Note: Many cybersecurity service providers claim to offer comprehensive compliance, but only operate as advisory consultants, leaving clients to complete remediation largely on their own.
CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance program at a fraction of the cost of DIY options. Choose from five cost-effective packages of 23 turnkey cyber security services, all including POA&M, SSP, and Policies & Standards.

Get a CMMC Certification Assessment

As C3PAOs become available, Level 2 and 3 contractors who require CMMC certification must undergo a third-party assessment. This assessment will assess the contractors’ adherence to NIST SP 800-171 requirements and issue a certification to enable contract eligibility.