NIST SP 800-171 & CMMC Compliance
NIST SP 800-171 is a standard that defines how to protect and distribute Controlled Unclassified Information (CUI) for government contractors.
What is Controlled Unclassified Information (CUI)?
CUI is a type of marketing used by the federal government to identify information and confidential data that is not classified, yet requires protection from unnecessary disclosure (i.e., financial records, Personally Identifiable Information (PII), FOUO).
Key Considerations and Lessons Learned for NIST 800-171 Compliance
NIST SP 800-171 contains 110 security controls across the following 14 categories:
3.1 Access Control
3.2 Awareness and Training
3.3 Audit and Accountability
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.8 Media Protection
3.9 Personnel Security
3.10 Physical Protection
3.11 Risk Assessment
3.12 Security Assessment
3.13 System and Communications Protection
3.14 System and Information Integrity
The 14 Categories cover 5 main elements from the NIST Cybersecurity Framework:
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
CMMC Level 3 versus NIST SP 800-171
The effort to become NIST SP 800-171 compliant is not wasted. CMMC Level 3 contains the same 110 controls found in NIST SP 800-171, plus 20 added practices (controls). There are a few significant areas where CMMC adds practices:
- Logging, monitoring, incident response, and reporting capabilities with a SIEM (Security Information and Events Management) or similar technical solution – Domain Reference: Incident Response (IR) and Audit and Accountability (AU).
- The ability to backup and restore data through tested, comprehensive, and resilient in backup efforts.
- Logically and technically separate management of unsupported products with network restrictions and regular risk assessments to identify vulnerabilities – Domain Reference: Risk Management (RM).
- DNS filtering, spam protection, and email sandboxing to protect against malicious traffic – Domain Reference: System and Communication Protection (SC) and System and Information Integrity (SI).
The DFARS clause 252.204-7012 interim rule released on September 29, 2020 requires that all government contract wins issued to contractors are dependent on the contractor inputting a Supplier Performance Risk System (SPRS) score in the SPRS database system. The SPRS score is derived from a contractor’s score calculated based on the NIST SP 800-171 requirements that have been implemented. Your score in the SPRS database may be a consideration during the selection process.
CMMC is being rolled out by DoD over the next 5 years. DoD expects the number of contracts with CMMC requirements to reach 75 by Fiscal Year (FY) 2022, 250 contracts by FY 2023, and 479 contracts in FY 2024. DoD expects all new DoD contracts to contain CMMC requirements starting in FY 2026. Looking forward, the DoD expects to have 1,500 contractors certified in FY 2021; 7,500 more in FY 2022; 25,000 more by FY 2023; and almost 48,000 by FY 2025. If you are not CMMC certified at the appropriate level prior to contract award, then working on DoD contracts will not be possible.
Option #1: In-house
The in-house choice works best if:
- You have extensive policies and procedures in place.
- You have IT resources already in place with experience in implementing security requirements. These cybersecurity professionals require a diverse technical background. This is not the time to learn as you go!
Option #2: Outsource
Augment your IT team with a consultant. By outsourcing your compliance, your provider goes through a process to help you become complaint.
As experienced consultants, Braxton-Grant Technologies has a three-step process to help you become and stay compliant.
The Maryland DCAP Grant Program
The Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity, as well as prepare for the upcoming CMMC certification. The program provides funding and resources for Maryland companies to comply with the cybersecurity standards. Funded by the Department of Defense’s Office of Local Defense Community Cooperation (OLDCC) through the Maryland Department of Commerce, the program is being coordinated by the MD MEP.
Grant funding is limited and there is waiting list at this time. If you have interest in the program, we recommend submitting an application to the MD MEP Team as soon as possible – contact us to assist!
- Up to 60% off mitigation costs.
- $2,500 grant funding reimbursement for the CMMC Pre-Assessment.
- Reported $513,402,088 total retained sales and $155,158,419 total increased sales from client recipients.
- Reported total of 3,051 retained jobs and 136 increased jobs from client recipients.
Braxton-Grant’s 3-Step Cyber Assessment
Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts and CMMC Registered Practitioners to assist in pre-assessments for organizations with DoD contracts.
We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget.
For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting.