The Department of Defense announced the CMMC system as the compliance vehicle for the security controls outlined in NIST SP-800-171 more than a year ago. During that time, qualification criteria have become more evident, auditors have been qualified, and DoD contractors have begun to plan for the imminent change. Both the DoD and its contractors are taking the CMMC very seriously and with good reason.
The CMMC is a set of cybersecurity guidelines for DoD contractors, as well as a third-party auditing regime to implement such standards. While there are significant variations between CMMC and 800-171, there are also many parallels since CMMC enforces 800-171.
Table of Contents
What is the Primary Difference between CMMC and NIST?
Although the CMMC is primarily focused on 800-171, the two are extremely dissimilar. Their frameworks differ significantly in two main ways:
- Instead of self-certification, security measures by third-party audits must be certified by contractors.
- To be able to submit a contract offer or engage in a contract, contractors must first certify.
The Department of Defense created CMMC to ensure adherence to NIST SP 800-171 legislation. Despite the fact that the 800-171 standards were released in 2018, adoption rates have remained poor. And when the Department of Defense found a non-compliance environment, remediation plans were extremely lax under 800-171. The contractor will outline a System Protection Plan (SSP) and a Plan of Action and Milestones in the case of an incident or malfunction.
However, it was not unusual for a POA&M to last a year or more. Meanwhile, the contractor could continue to carry out the contract — and obtain access to DoD systems — on the condition that they meet the requirements they should have reached by now.
How the CMMC surpasses NIST 800-171
For years, DoD contractors were forced to follow DFARS, which meant they had to follow the requirements outlined in NIST 800-171. Although NIST 800-171 and its amendments are at the heart of cybersecurity standards, they are mainly concerned with lower-level safeguards for regulated unclassified data. The majority of the higher-level standards are covered by publications like NIST SP 800-172 and NIST SP 800-53, as well as regulations like 48 CFR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems” and DFARS Clause 252.204-7012, “Defense Industrial Base Compliance Information.” Specific CMMC-required controls, on the other hand, are referred to in other source documentation.
To put it another way, the CMMC certifies that a contractor meets all relevant NIST 800-171 (and other guidance) criteria. Following NIST 800-171 and other applicable publication standards guarantees that a contractor follows DFARS rules, which are consistent with the FAR. The DoD can do business with the authorized contractor.
The CMMC’s Advantages to be Acknowledged
The sheer complexity of the specifications was one of the reasons for the low levels of NIST 800-171 enforcement among contractors. The majority of small to mid-size contractors couldn’t comply with the DoD’s requirement for complete adherence to NIST 800-171, a document intended to cover nearly all contractor systems. Many of them lacked the technological skills to completely comprehend the criteria or complete a self-assessment, let alone put them into effect.
One of the advantages of the CMMC, considering its complexity, is that it summarizes a vast array of federal standards, criteria, publications, and best practices — and organizes them into clearly specified CMMC qualification levels. NIST 800-171 mapping for complex control mechanisms was extremely difficult prior to the implementation of the CMMC; contractors could introduce several advanced features while overlooking certain basic controls that enabled backdoor access to their information systems.
Contractors should use the CMMC’s standard NIST 800-171 system protection plan framework to decide what level of certification they need and the specific controls they must implement to achieve it. We’ve gathered all of these controls and grouped them into a NIST 800-171 checklist that makes it simple to move through each of the CMMC certification levels.
CMMC’s Improvement over NIST 800-171
NIST special publications (such as NIST 800-171 Rev 2 and NIST 800-171 Rev B) provide direction, while CMMC levels merely confirm that contractors have met that (and other) criteria. The CMMC, on the other hand, has strengthened the basic structure of NIST 800-171 in a variety of ways.
To begin with, the CMMC has expanded the number of cybersecurity domains available. The CMMC divides cybersecurity standards into three additional domains: asset management, recovery, and situational awareness, in addition to the 14 domains listed in NIST 800-171. The greater precision of the CMMC makes it easier for contractors to understand what they must do and why.
Second, NIST 800-171 is mainly concerned with controls, procedures, and implementation. The CMMC tests a company’s maturity in cybersecurity and integrates those controls into the company’s DNA. Focusing on a company’s security maturity creates a self-perpetuating culture that can ultimately lead to a far higher degree of information security than simply following NIST 800-171’s checklist of control mechanisms. DoD auditors will aim for more sophisticated cyber threat intelligence at the higher CMMC levels, including threat hunting and intel exchange with other organizations.
Third, the CMMC refers to a broader set of controls than those outlined in NIST 800-171. Forty-six controls are missing from either NIST 800-171 Rev 2 or NIST 800-171 Rev B, out of a total of 171 needed across all five CMMC levels. The Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework are among the experts who contributed to these best practices (CSF).
Conclusion
Since contractors were given a blanket mandate to follow NIST 800-171, a lot has changed. The CMMC builds on the control structures outlined in NIST 800-171, stresses a contracting organization’s sophistication and culture of information security, and dramatically simplifies the process of being compliant for a contractor.
Neither NIST 800-171 Rev 2 nor NIST 800-171 Rev B is replaced by the CMMC. It basically summarizes them and adds other cybersecurity tools to the mix. Overall, the DoD and the federal government as a whole have taken a move forward in terms of information security by implementing the CMMC.
