​NIST 800-171 vs CMMC

Posted by ComplianceForge on Jan 10th 2020

At ComplianceForge, we field a lot of questions regarding NIST 800-171 compliance and the pending Cybersecurity Maturity Model Certification (CMMC). This article is something we made to help answer the common questions pertaining to what CMMC is and how it pertains to NIST 800-171.

NIST 800-171 vs CMMC Overview

CMMC is a vehicle the US Government is using to audit compliance with NIST SP 800-171. DoD contractors have been required to comply with this regulation since January 1, 2018. In the past two years, the DoD had to react to the low adoption level of compliance by the Defense Industrial Base (DIB) and CMMC was created to remedy that non-compliance. It is conservatively-estimated that between 200,000-300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality or integrity of CUI where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.

Based on version 0.7 of the CMMC, there are 5 levels and each has its own specific set of controls that will be in scope for a CMMC audit. This article will cover this breakdown in more detail:

  • CMMC Level 1: 17 Controls
  • CMMC Level 2: 72 Controls (includes Level 1 controls)
  • CMMC Level 3: 131 Controls (includes Level 2 controls)
  • CMMC Level 4: 157 Controls (includes Level 3 controls)
  • CMMC Level 5: 173 Controls (includes Level 4 controls)

How Should I Prepare For A CMMC Audit?

There is no current guidance on what 3rd Party Assessment Organizations (3PAO) will use for these assessments, but the current assumption by many is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will serve as the basis for the criteria used by a 3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 rev1 control.

If I Comply With CMMC, Does It Mean That I Comply With NIST 800-171?

No. If you look in Appendix D of NIST 800-171 rev1, you will see it contains 110 Controlled Unclassified Information (CUI) and in Appendix E there are also 63 Non-Federal Organization (NFO) controls. While NIST 800-171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls.

For some reason, CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. While this is financially beneficial to contractors to have less controls in scope for an audit, it also lulls most contractors into a false sense of compliance where they focus on the 110 CUI controls and ignore the 63 NFO controls. To reiterate that point, to be considered “NIST 800-171 compliant” you need to comply with both the CUI and NFO controls. Therefore, having a CMMC Level 1, 2, 3, 4 or 5 certification does not mean you are actually compliant with NIST 800-171 and that can run your organization afoul through a violation of the False Claims Act (FCA), since you are required to comply with NIST 800-171. CMMC is merely a 3rd party validation check to see if a basic level of compliance is being done as part of the contracting process.

CMMC Level 1

There are 17 controls that make up CMMC Level 1 and each of those controls are directly mapped to Federal Acquisition Regulation (FAR) 52.204-21. Even though there are only 15 FAR 52.204-21 controls, the CMMC spread that basic coverage to make up 17 CMMC controls. Why? Most likely, it is due to the high-level nature of the FAR requirements, so there was subjective interpretation that made the case for 17 CMMC controls being needed to adequately address the 15 FAR controls. Regardless, CMMC Level 1 is essentially just complying with FAR 52.204-21 under the lens of NIST 800-171.

A CMMC Level 1 audit will cover 15% of the NIST 800-171 CUI controls.

CMMC Level 2

There are 72 controls that make up CMMC Level 2, which encompasses the CMMC Level 1 controls. A CMMC Level 2 audit will cover 65% of the NIST 800-171 CUI controls.

CMMC Level 3

There are 131 controls that make up CMMC Level 3, which encompasses the CMMC Level 1 & 2 controls. A CMMC Level 3 audit will cover 100% of the NIST 800-171 CUI controls and an additional 21 controls from various sources.

The additional 21 non-NIST 800-171 controls are:

  • AM-C005-P1035. Identify, categorize, and label all CUI data.
  • AM-C005-P1036. Define procedures for the handling of CUI data.
  • AA-C008-P1048. Collect audit logs into a central repository.
  • AA-C010-P1044. Review audit logs.
  • IR-C017-P1093. Detect and report events.
  • IR-C017-P1094. Analyze and triage events to support event resolution and incident declaration.
  • IR-C018-P1096. Develop and implement responses to declared incidents according to pre- defined procedures.
  • IR-C019-P1097. Perform root cause analysis on incidents to determine underlying causes.
  • RE-C029-P1137. Regularly perform and test data back-ups.
  • RE-C029-P1139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.
  • RM-C031-P1144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
  • RM-C032-P1146. Develop and implement risk mitigation plans.
  • RM-C032-P1147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
  • SAS-C036-P1162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.
  • SA-C037-P1169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
  • SCP-C039-P1179. Use encrypted sessions for the management of network devices.
  • SCP-C040-P1192. Implement Domain Name System (DNS) filtering services.
  • SCP-C040-P1193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).
  • SII-C043-P1218. Employ spam protection mechanisms at information system access entry and exit points.
  • SII-C044-P1219. Implement DNS or asymmetric cryptography email protections.
  • SII-C044-P1220. Utilize email sandboxing to detect or block potentially malicious email attachments.

CMMC Levels 4 & 5

For CMMC Level 4, there are 157 controls. For CMMC Level 5, there are 173 controls. As you can see, these numbers exceed the 110 CUI controls found in NIST 800-171. CMMC Levels 4 & 5 build off CMMC Level 3 with controls from a range of frameworks:

  • CERT RMM v1.2
  • NIST 800-53
  • NIST 800-171B
  • ISO 27002
  • CIS CSC 7.1
  • Unknown “CMMC” references that are not attributed to existing frameworks.

Additionally, CMMC C034-P1163 requires CMMC Level 4 & 5 organizations to create, maintain and leverage a documented security strategy and roadmap to demonstrate how it is improving its cybersecurity practices. That means the organization's cybersecurity business plan / strategy will be in-scope for review during the CMMC audit.