Cybersecurity Maturity Model Certification (CMMC) v2.0 &NIST 800-171 rev2 Compliance
We field a lot of questions regarding NIST 800-171 compliance and the DoD's Cybersecurity Maturity Model Certification (CMMC) assessment program. The information on this page relates to the common questions of what CMMC is, how CMMC relates to NIST 800-171 and what ComplianceForge products address both NIST 800-171 and CMMC requirements. As of 29 September 2020, CMMC is a requirement as part of DFARS 252.204-7021, which requires compliance with NIST 800-171 as part of DFARS 252.204-7012. With the release of "CMMC 2.0" that takes the focus of CMMC back to pure NIST SP 800-171 controls.
ComplianceForge is an industry-leader in NIST 800-171 compliance documentation and have been evolving our DFARS-specific cybersecurity solutions since 2016. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible. Essentially, CMMC is the DoD's requirement for the Defense Industrial Base (DIB) to obtain a third-party assessment that NIST 800-171 controls are implemented.
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.
CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB) and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. Interestingly, when NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance, but that is exactly what CMMC does, so a lot has changed in the past two years from how NIST 800-171 adoption was initially envisioned.
Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract - without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract. It is conservatively-estimated that between 200,000 - 300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality and/or integrity of Controlled Unclassified Information (CUI) where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.
If you are new to CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the right to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be.
The CRS report to Congress is loaded with references that you can use to verify information for yourself. It is a really good guide to understand the history and some of the challenges pertaining to CMMC, so it is a worthwhile document to read.
On 18 March 2020, the US Department of Defense (DoD) released version 1.02 of the CMMC. We took those requirements and made those into a user-friendly requirements matrix that indicates the requirements an organization faces from CMMC level 1 through level 5. We also provide mappings that show how ComplianceForge's products support each CMMC requirement. In the downloadable CMMC v2.0 requirements mapping matrix shown below, you can see how all CMMC 2.0 Level 1-3 requirements are supported by various ComplianceForge products.
That downloadable Excel spreadsheet for CMMC v1.02 provides crosswalk mapping to the following frameworks:
NIST 800-171 rev2
NIST 800-53 rev4
CERT RMM v1.2
NIST Cybersecurity Framework
CIS Critical Security Controls v7.1
Secure Controls Framework (SCF)
Mapping to the following ComplianceForge products:
New To CMMC? Use The "CMMC Kill Chain" To Build A Project Plan
A common issue facing many front-line IT/cybersecurity practitioners is that they do not know where to start with CMMC, let alone what path they need to follow to pass a CMMC assessment. There is an enormous amount of "What is CMMC?" guidance on LinkedIn, webinars and on the Internet in general, but there is a lack of practical guidance of HOW you are actually supposed to "do CMMC" in realistic terms. The CMMC Kill Chain is designed to provide a roadmap that would be usable for (1) anyone starting out or (2) anyone wanting to double check their approach. You can also download it by clicking on the image below to get a PDF version of the graphic and description.
Cybersecurity Maturity Model Certification (CMMC) v2.0 Requirements - Understanding The People, Processes & Technology Connections
As you can see in the downloadable infographic below, the responsibilities associated with CMMC spread far beyond just the cybersecurity team. Having a clear understanding of who "owns" certain CMMC controls now will payoff significantly as you prepare for your CMMC audit, since these are primarily not "cybersecurity" controls and many are owned by the business process owner or the IT asset custodians.
We put together a free guide to help identify what is in scope for NIST 800-171 rev2. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
Based on a lack of scoping guidance from the DoD, our assessment of scoping NIST 800-171 is that it should following a similar, structured approach to scoping that is used for PCI DSS compliance. The reason for this is the proposed approach is a reasonable method, based on accepted practices to comply with cybersecurity requirements. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
What ComplianceForge Products Apply To NIST 800-171 Compliance?
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171.
DFARS / NIST 800-171
Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP)
[policies & standards map to all NIST 800-171 rev2 requirements]
NIST 800-171 & CMMC Policies, Standards & Procedures Done Right - Designed To Be Scalable, Comprehensive & Efficient
We leverage the Hierarchical Cybersecurity Governance Frameworkto develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with NIST 800-171, NIST 800-53, ISO 27002, NIST CSF, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.
Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
How Should I Prepare For A CMMC Assessment?
Based on version 1.0 of the CMMC, there are 5 levels and each has its own specific set of controls that will be in scope for a CMMC audit. Each level of CMMC maturity has increasing expectations:
CMMC Level 1: 17 Level 1 controls that are based on 15 basic cybersecurity controls from FAR 52.204-21
CMMC Level 2: 110 CUI controls from NIST SP 800-171
CMMC Level 3: 110 CUI controls from NIST SP 800-171 + up to 35 controls from NIST SP 800-172
There is no current guidance on what 3rd Party Assessment Organizations (3PAO) will use for these assessments, but the current assumption by many is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will serve as the basis for the criteria used by a 3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 rev2 control. Until final guidance on what 3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a 3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future 3PAO audit-related costs.
One thing to keep in mind as you prepare for a CMMC audit - in the audit world there are two constants:
Time is money; and
Nothing exists unless it is documented.
A documentation review will likely occur before the 3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your 3PAO to start their assessment by:
Performing a thorough review of your System Security Plan (SSP) to understand the who/what/when/where/how/why of your CUI environment;
Assessing your Plan of Action & Milestones (POA&M) to understand what controls are not addressed (if applicable) and how your compensating controls exist to remediate the risk of non-compliance on a certain control; and
If I Comply With CMMC, Am I Therefore Compliant With NIST 800-171?
No. By itself, passing a CMMC audit does not mean you are compliant with NIST 800-171. If you look in Appendix D of NIST 800-171 rev2, you will see it contains 110 Controlled Unclassified Information (CUI) controls and in Appendix E there are also 63 Non-Federal Organization (NFO) controls. While NIST 800-171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls.
For some reason, CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. While this is financially beneficial to contractors to have less controls in scope for an audit, it also lulls most contractors into a false sense of compliance where they focus on the 110 CUI controls and ignore the 63 NFO controls. To reiterate that point, to be considered “NIST 800-171 compliant” you need to comply with both the CUI and NFO controls. Therefore, having a CMMC Level 1, 2, 3, 4 or 5 certification does not mean you are actually compliant with NIST 800-171 and that can run your organization afoul through a violation of the False Claims Act (FCA), since you are required to comply with NIST 800-171. CMMC is merely a 3rd party validation check to see if a basic level of compliance is being done as part of the contracting process.
NIST 800-171 vs NIST 800-53 Requirements - NIST Did Not Re-Invent The Wheel
Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.
When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist. ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity.
The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
Cost of Non-Compliance With NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC)
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
What Problem Does ComplianceForge Solve?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive NIST 800-171 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers NIST 800-171 documentation solutions that can save your organization significant time and money!
Compliance Requirements - The reality of non-compliance with NIST 800-171 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with NIST 800-171 but cannot provide evidence. Our documentation can help you become and stay compliant with NIST 800-171 where you have documented evidence to prove it!
Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your NIST 800-171 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-two (32) domains that defines a modern,...
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following twelve (12) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...