Cybersecurity Maturity Model Certification (CMMC) v2.0 & NIST 800-171 rev2 Compliance
We field a lot of questions regarding NIST 800-171 compliance and the DoD's Cybersecurity Maturity Model Certification (CMMC) assessment program. The information on this page relates to the common questions of what CMMC is, how CMMC relates to NIST 800-171 and what ComplianceForge products address both NIST 800-171 and CMMC requirements. As of 29 September 2020, CMMC is a requirement as part of DFARS 252.204-7021, which requires compliance with NIST 800-171 as part of DFARS 252.204-7012. With the release of "CMMC 2.0" that takes the focus of CMMC back to pure NIST SP 800-171 controls.
ComplianceForge is an industry-leader in NIST 800-171 compliance documentation and have been evolving our DFARS-specific cybersecurity solutions since 2016. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible. Essentially, CMMC is the DoD's requirement for the Defense Industrial Base (DIB) to obtain a third-party assessment that NIST 800-171 controls are implemented.
NIST 800-171 rev 2 (DFARS 252.204-7012)& CMMC v2.0 (DFARS 252.204-7021) Overview
CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB) and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. Interestingly, when NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance, but that is exactly what CMMC does, so a lot has changed in the past two years from how NIST 800-171 adoption was initially envisioned.
Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract - without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract. It is conservatively-estimated that between 200,000 - 300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality and/or integrity of Controlled Unclassified Information (CUI) where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.
If you are new to CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the right to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be.
The CRS report to Congress is loaded with references that you can use to verify information for yourself. It is a really good guide to understand the history and some of the challenges pertaining to CMMC, so it is a worthwhile document to read.
Downloadable Excel Spreadsheet - CMMC 2.0 Crosswalk
On 18 March 2020, the US Department of Defense (DoD) released version 1.02 of the CMMC. We took those requirements and made those into a user-friendly requirements matrix that indicates the requirements an organization faces from CMMC level 1 through level 5. We also provide mappings that show how ComplianceForge's products support each CMMC requirement. In the downloadable CMMC v2.0 requirements mapping matrix shown below, you can see how all CMMC 2.0 Level 1-3 requirements are supported by various ComplianceForge products.
That downloadable Excel spreadsheet for CMMC v1.02 provides crosswalk mapping to the following frameworks:
- FAR 52.204-21
- NIST 800-171 rev2
- NIST 800-171B
- NIST 800-53 rev4
- CERT RMM v1.2
- ISO 27002
- NIST Cybersecurity Framework
- CIS Critical Security Controls v7.1
- Secure Controls Framework (SCF)
Mapping to the following ComplianceForge products:
- NIST 800-171 Compliance Program (NCP)
- NIST 800-53 Cybersecurity & Data Protection Program (CDPP)
- Digital Security Program (DSP)
New To CMMC? Use The "CMMC Kill Chain" To Build A Project Plan
A common issue facing many front-line IT/cybersecurity practitioners is that they do not know where to start with CMMC, let alone what path they need to follow to pass a CMMC assessment. There is an enormous amount of "What is CMMC?" guidance on LinkedIn, webinars and on the Internet in general, but there is a lack of practical guidance of HOW you are actually supposed to "do CMMC" in realistic terms. The CMMC Kill Chain is designed to provide a roadmap that would be usable for (1) anyone starting out or (2) anyone wanting to double check their approach. You can also download it by clicking on the image below to get a PDF version of the graphic and description.
Cybersecurity Maturity Model Certification (CMMC) v2.0 Requirements - Understanding The People, Processes & Technology Connections
As you can see in the downloadable infographic below, the responsibilities associated with CMMC spread far beyond just the cybersecurity team. Having a clear understanding of who "owns" certain CMMC controls now will payoff significantly as you prepare for your CMMC audit, since these are primarily not "cybersecurity" controls and many are owned by the business process owner or the IT asset custodians.
NIST 800-171 & CMMC Scoping Considerations - Free Guide To Reducing Controlled Unclassified Information (CUI)
Click here for a FREE GUIDE
We put together a free guide to help identify what is in scope for NIST 800-171 rev2. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
Based on a lack of scoping guidance from the DoD, our assessment of scoping NIST 800-171 is that it should following a similar, structured approach to scoping that is used for PCI DSS compliance. The reason for this is the proposed approach is a reasonable method, based on accepted practices to comply with cybersecurity requirements. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
What ComplianceForge Products Apply To NIST 800-171 Compliance?
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171.
|ComplianceForge Product||DFARS / NIST 800-171||NIST 800-53|
Cybersecurity & Data Protection Program (CDPP) or
[policies & standards map to all NIST 800-171 rev2 requirements]
NIST 800-171 (multiple NFO controls)
|Vendor Compliance Program (VCP)||252.204-7008
NIST 800-171 NFO PS-7
|Cybersecurity Risk Management Program (RMP)||252.204-7008
NIST 800-171 NFO RA-1
|Cybersecurity Risk Assessment Template (CRA)||252.204-7008
NIST 800-171 3.11.1
|Vulnerability & Patch Management Program (VPMP)||252.204-7008
NIST 800-171 3.11.2
|Integrated Incident Response Program (IIRP)||252.204-7008
NIST 800-171 3.6.1
|Security & Privacy By Design (SPBD)||252.204-7008
NIST 800-171 NFO SA-3
|System Security Plan (SSP)||252.204-7008
NIST 800-171 3.12.4
|Cybersecurity Standardized Operating Procedures (CSOP)||252.204-7008
NIST 800-171 (multiple NFO controls)
|Continuity of Operations Plan (COOP)||252.204-7008
NIST 800-171 3.6.1
|Secure Baseline Configurations (SBC)||252.204-7008
NIST 800-171 3.4.1
|Information Assurance Program (IAP)||252.204-7008
NIST 800-171 NFO CA-1
NIST 800-171 & CMMC Policies, Standards & Procedures Done Right - Designed To Be Scalable, Comprehensive & Efficient
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with NIST 800-171, NIST 800-53, ISO 27002, NIST CSF, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.
Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
How Should I Prepare For A CMMC Audit?
Based on version 1.0 of the CMMC, there are 5 levels and each has its own specific set of controls that will be in scope for a CMMC audit. Each level of CMMC maturity has increasing expectations:
- CMMC Level 1: 17 Level 1 controls that are based on 15 basic cybersecurity controls from FAR 52.204-21
- CMMC Level 2: 110 CUI controls from NIST SP 800-171
- CMMC Level 3: 110 CUI controls from NIST SP 800-171 + up to 35 controls from NIST SP 800-172
There is no current guidance on what 3rd Party Assessment Organizations (3PAO) will use for these assessments, but the current assumption by many is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will serve as the basis for the criteria used by a 3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 rev2 control. Until final guidance on what 3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a 3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future 3PAO audit-related costs.
One thing to keep in mind as you prepare for a CMMC audit - in the audit world there are two constants:
- Time is money; and
- Nothing exists unless it is documented.
A documentation review will likely occur before the 3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your 3PAO to start their assessment by:
- Performing a thorough review of your System Security Plan (SSP) to understand the who/what/when/where/how/why of your CUI environment;
- Assessing your Plan of Action & Milestones (POA&M) to understand what controls are not addressed (if applicable) and how your compensating controls exist to remediate the risk of non-compliance on a certain control; and
- Evaluating your policies, standards and procedures to see if those line up with the SSP and if that documentation supports all the requirements of NIST 800-171 / CMMC.
If I Comply With CMMC, Am I Therefore Compliant With NIST 800-171?
No. By itself, passing a CMMC audit does not mean you are compliant with NIST 800-171. If you look in Appendix D of NIST 800-171 rev2, you will see it contains 110 Controlled Unclassified Information (CUI) controls and in Appendix E there are also 63 Non-Federal Organization (NFO) controls. While NIST 800-171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls.
For some reason, CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. While this is financially beneficial to contractors to have less controls in scope for an audit, it also lulls most contractors into a false sense of compliance where they focus on the 110 CUI controls and ignore the 63 NFO controls. To reiterate that point, to be considered “NIST 800-171 compliant” you need to comply with both the CUI and NFO controls. Therefore, having a CMMC Level 1, 2, 3, 4 or 5 certification does not mean you are actually compliant with NIST 800-171 and that can run your organization afoul through a violation of the False Claims Act (FCA), since you are required to comply with NIST 800-171. CMMC is merely a 3rd party validation check to see if a basic level of compliance is being done as part of the contracting process.
What Does CMMC Level 1 Look Like?
There are 17 controls that make up CMMC Level 1 and each of those controls are directly mapped to Federal Acquisition Regulation (FAR) 52.204-21. Even though there are only 15 FAR 52.204-21 controls, the CMMC spread that basic coverage to make up 17 CMMC controls. Why? Most likely, it is due to the high-level nature of the FAR requirements, so there was subjective interpretation that made the case for 17 CMMC controls being needed to adequately address the 15 FAR controls. Regardless, CMMC Level 1 is essentially just complying with FAR 52.204-21 under the lens of NIST 800-171.
A CMMC Level 1 audit will cover 15% of the NIST 800-171 CUI controls.
What Does CMMC Level 2 Look Like?
There are 72 controls that make up CMMC Level 2, which encompasses the CMMC Level 1 controls. A CMMC Level 2 audit will cover 59% of the NIST 800-171 CUI controls.
What Does CMMC Level 3 Look Like?
There are 130 controls that make up CMMC Level 3, which encompasses the CMMC Level 1 & 2 controls. A CMMC Level 3 audit will cover 100% of the 110 NIST 800-171 CUI controls and adds an additional 20 controls from various sources.
The additional 20 non-NIST 800-171 controls are:
- AM.3.036. Define procedures for the handling of CUI data.
- AU.3.048. Collect audit logs into a central repository.
- AU.2.044. Review audit logs.
- IR.2.093. Detect and report events.
- IR.2.094. Analyze and triage events to support event resolution and incident declaration.
- IR.2.095. Develop and implement responses to declared incidents according to pre-defined procedures.
- IR.2.097. Perform root cause analysis on incidents to determine underlying causes.
- RE.2.137. Regularly perform and test data back-ups.
- RE.3.139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.
- RM.3.144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
- RM.3.146. Develop and implement risk mitigation plans.
- RM.3.147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
- CA.3.162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.
- SA.3.169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
- SC.2.179. Use encrypted sessions for the management of network devices.
- SC.3.192. Implement Domain Name System (DNS) filtering services.
- SC.3.193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).
- SI.3.218. Employ spam protection mechanisms at information system access entry and exit points.
- SI.3.219. Implement DNS or asymmetric cryptography email protections.
- SI.3.220. Utilize email sandboxing to detect or block potentially malicious email attachments.
What Do CMMC Levels 4 & 5 Look Like?
For CMMC Level 4, there are 156 controls. For CMMC Level 5, there are 171 controls. As you can see, these numbers exceed the 110 CUI controls found in NIST 800-171. CMMC Levels 4 & 5 build off CMMC Level 3 with controls from a range of frameworks:
- CERT RMM v1.2
- NIST 800-53
- NIST 800-171B
- ISO 27002
- CIS CSC 7.1
- Unattributed “CMMC” references that are not attributed to existing frameworks.
Cybersecurity Maturity Model Certification (CMMC) Is More Than Just NIST 800-171
The focus of NIST 800-171 is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. Our NIST 800-171 compliance products are designed to scale for organizations of any size or level of complexity, so we serve businesses of all sizes, from the Fortune 500 all the way to small and medium businesses. We have a wide-range of solutions that scale from the largest prime contractors down to small subcontractors and our documentation has direct mapping to the frameworks identified in CMMC:
- FAR 52.204-21
- NIST 800-53 rev 4
- NIST 800-171 rev2
- NIST 800-171B
- NIST Cybersecurity Framework
- CERT Resiliency Management Model (RMM)
- ISO 27002:2013
- CIS CSC 7.1
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:
- Cybersecurity policies, standards & procedures
- System Security Plan (SSP) (requirement #3.12.4)
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
Did you know CMMC requires organizations to create, maintain and leverage a documented security strategy and roadmap to demonstrate how it is improving its cybersecurity practices that will be in-scope for review during a CMMC audit? CMMC CA.4.163 is applicable to L4 and L5 organizations. To address this need, ComplianceForge launched its Cybersecurity Business Plan (CBP) that is a business plan template that is specifically tailored for a cybersecurity department, which is designed to support an organization's broader technology and business strategies. The CBP is entirely focused at the CISO-level, since it is a department-level planning document. The CBP is a solution to address CMMC requirement CA.4.163 in an efficient and cost-effective manner.
Not Sure Where To Start With NIST 800-171 / CMMC Compliance?
The bottom line is your first step towards passing an audit is having appropriate documentation that you can use to prove you are doing what is required. If you are looking to jump start your NIST 800-171 compliance and Cybersecurity Maturity Model Certification (CMMC) audit readiness with editable cybersecurity policies, standards, controls, procedures and metrics then you have found the right place! Our documentation is widely used throughout the US Defense Industrial Base (DIB) as a way for prime and subcontractors to solve the problems associated with weak or non-existent cybersecurity documentation. Our solution is:
If you are not sure where to start, we put together a few short videos with some helpful guidance on how to define CUI and get on the path to getting compliant with NIST 800-171. We also put together the "7 Steps To An Audit-Ready Cybersecurity Maturity Model Certification (CMMC) Program" guide that you can download below:
If you want to learn more about NIST 800-171 requirements and how to minimize the impact to your company through scoping your compliance needs, we recommend pouring yourself a cup of coffee and watching these videos:
NIST 800-171 vs NIST 800-53 Requirements - NIST Did Not Re-Invent The Wheel
Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.
When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist. ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity.
The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
Cost of Non-Compliance With NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC)
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
- Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
What Problem Does ComplianceForge Solve?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive NIST 800-171 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers NIST 800-171 documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with NIST 800-171 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with NIST 800-171 but cannot provide evidence. Our documentation can help you become and stay compliant with NIST 800-171 where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
Hows Does ComplianceForge Solve It?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your NIST 800-171 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!