Differences do exist between CMMC and NIST 800-171
It is important to understand the difference between CMMC and NIST 800-171 as certification of DoD contractors’ cybersecurity program, issued by an independent third-party according to the Cybersecurity Maturity Model Certification (CMMC) standard, will be required for some contracts as early as September 2020.
The model will be required of ALL DoD contracts by the end of 2025. Without a CMMC certification, your organization won’t be able to propose to new contracts or execute ongoing contracts. In this blog we’ll describe the differences between the 110 safeguards we DoD contractors are supposed to already have incorporated into our cybersecurity programs according to the NIST 800-171 standard and the 130 Practices required of us by CMMC Level 3.
First, an Overview of the CMMC Model
The CMMC is comprised of 5 levels of cybersecurity maturity, ranging from level 1 “Basic” to level 5 “advanced”. Each contract will be assigned a CMMC Level the contractor must meet to execute the contract. Maturity is determined by level of implementation of cybersecurity practices (aka safeguards, controls) spread across 17 domains. The image below, found in CMMC briefing materials, depicts the model.
Those of you familiar with DFARS 7012 / NIST 800-171 will understand “domains” as “families” and “practices” as “controls.” In fact, Level 1 of the CMMC has 17 practices which are the 17 basic cybersecurity safeguards already required by the FAR clause 52.204-21 for the protection of Federal Contract Information (FCI). Level 3 CMMC includes all 110 NIST 800-171 controls as well as 20 additional practices, for a total of 130 controls. We’ve been advising our clients that implementing NIST 800-171 should get your organization most of the way to a CMMC Level 3 certification; assuming you have your System Security Plan (SSP) and budget squared away, 800-171 will get you 85% (110/130) there.
Per the CMMC Frequently Asked Questions (FAQ), all DoD contractors will eventually have to hold at least a CMMC Level 1 certification, as all of us process at least some FCI. Those of us who process CUI as well will have to hold at least a CMMC Level 2, and more likely a CMMC Level 3 certification. For a more in-depth look at the CMMC check out our CMMC V1.0 blog.
Level 3 CMMC / NIST 800-171 Differences in Layman's Terms
Those 20 additional Practices in CMMC Level 3 are mostly redundant to existing NIST 800-171 controls, which is good news in that you probably already have policies in place that cover these Practices, and all you need to do is update your SSP to show these Practices are related to or covered by other policy. Don’t have an System Security Plan yet, click here.
If you have an SSP for the original NIST 800-171 requirement there are a few new things you need to do for a CMMC level 3 certification. To help you extend your SSP to cover these new Practices, we’ve provided a downloadable document with our interpretations of these Practices, a list of related/redundant 800-171 controls, and some advice for how to implement them. We welcome feedback (email: [email protected]) on our interpretation of the Level 3 CMMC / NIST 800-171 differences.