White Papers - Redspin

The Relationship Between CMMC and NIST SP 800_171 White Paper

Issue link: https://insights.redspin.com/i/1350361

Contents of this Issue


Page 0 of 2

WHITE PAPER The Relationship Between CMMC & NIST SP 800-171 NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) is a federal government standard the provides minimum requirements for non-federal agencies (i.e., Department of Defense contractors) to adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). In the past, self-attestation was the only requirement. As the threat landscape became more aggressive, an advanced cybersecurity maturity model, called the Cybersecurity Maturity Model Certification (CMMC) framework, was developed to improve the cybersecurity posture of the Defense Industrial Base (DIB) to adequately protect CUI/FCI. THE CHALLENGE Adversaries continue to target the Defense Industrial Base (DIB) via cyberattack vectors to gain access to sensitive data, causing significant damage to the DoD's supply chain, and ultimately, critical offensive and defensive capabilities. The DoD is aiming to reduce the estimated $600 billion in cybercrime losses impacting the nation's military supply chain every year by requiring third-party cyber security assessments of contractors that process, store, and/or transmit CUI. To combat against these threats, every DoD contractor will require a cybersecurity certification from an independent assessment organization. THE SOLUTION The DoD has adopted the Cybersecurity Maturity Model Certification (CMMC) framework for its 300,000 DIB contractors to achieve CMMC certification as a requirement contract award eligibility. The CMMC framework recognizes that security is not a one-size-fits-all endeavor, therefore the certification level an organization must meet is determined based on the type and sensitivity of information to be protected measured against the range of threats. NIST SP 800-171 AND CMMC RELATIONSHIP Both NIST SP 800-171 and the CMMC Framework are designed to protect FCI/CUI data. For a CMMC Level 3 certification, it takes all 110 security controls from NIST SP 800-171, plus an additional 20 CMMC security practices (beyond NIST SP 800-171), along with specific guidelines to measure the organization's institutional processes, such as the Software Engineering Institute's (SEI) CERT Resilience Management Model (RMM). While CMMC combines various security standards and best practices, to include NIST SP 800-171, there is also a requirement for contractors to submit their NIST SP 800-171 self-assessment. Specifically, the DoD issued an interim rule, Assessing Contractor Implementation of Cybersecurity Requirements, on Sep 29, 2020 (effective Nov 30, 2020) to implement: • The NIST SP 800-171 DoD Assessment Methodology (DFARS Clause 252.204-7019) • The CMMC Framework (DFARS Clause 252.204-7021)

Articles in this issue

view archives of White Papers - Redspin - The Relationship Between CMMC and NIST SP 800_171 White Paper