White Papers - Redspin

The Relationship Between CMMC and NIST SP 800_171 White Paper

Issue link: https://insights.redspin.com/i/1350361

Contents of this Issue

Navigation

Page 1 of 2

NIST SP 800-171 Self-assessment Requirement: During the CMMC multi-year rollout through September 30, 2025, DoD contractors must document their NIST SP 800-171 self-assessment into the Supplier Performance Risk System (SPRS) per the NIST SP 800-171 DoD Assessment Methodology. CMMC Requirement: At the same time, DoD contractors must become CMMC certified by contract award. This requires contractors to maintain the appropriate CMMC level with respect to each contract. All contracts and solicitations will have CMMC requirements included by September 30, 2025. In a certain respect, the NIST SP 800-171 DoD self-assessment is a place holder until the contract can achieve its required level of CMMC certification. NIST SP 800-171 is a measurement of quantified compliance with the standards. HOW IS CMMC DIFFERENT FROM NIST SP 800-171? The DoD has developed the CMMC Framework to provide a consistent standard for implementation across the DIB. CMMC differs from NIST SP 800-171 from various aspects to include: • A cumulative model based on five levels, with each level consisting of practices and processes. • Additional security practices in addition to the security controls in NIST SP 800-171. • Addition of maturity processes to measure the organization's level of maturity. • The required level of certification depends on data sensitivity (FCI/CUI) o CMMC Level 1 is for FCI o CMMC Level 3 is for CUI • CMMC Level 3 measures a contractor's organizational cyber culture, not just quantified compliance. • A requirement for 100% conformity with CMMC for either a CMMC Level 1 or CMMC Level 3 certification (as of this time). • CMMC provides independent validation of cybersecurity resilience and 100% conformance. • DoD contractor must complete the CMMC Plan of Action & Milestones (POA&M) before the day of the CMMC assessment. o No open POA&M items with respect to the assessment o Note that this is a POA&M with respect to meeting all CMMC assessment requirements. o This does not mean that the organization no longer executes its risk management processes or no longer has any POA&Ms to manage as part of their operational security program. "Adapted from the CMMC Model V1.02 Guidance, Cybersecurity Maturity Model Certification (CMMC) (osd.mil)"

Articles in this issue

Links on this page

view archives of White Papers - Redspin - The Relationship Between CMMC and NIST SP 800_171 White Paper