What is the Difference Between CMMC and NIST 800-171?
Major changes are looming ahead for private companies looking to net a federal contract with the US Department of Defense (DoD). That's thanks to the new cybersecurity standards known as the Cybersecurity Maturity Model Certification or CMMC 2.0. The new framework will be substantially different from existing cybersecurity standards established by the National Institute of Standards and Technology (NIST).
But how different are they? And how will they impact the over 300,000 organizations that are part of the DoD supply chain?
Intelligent Technical Solutions (ITS) is a managed security services provider that has helped hundreds of organizations meet different compliance requirements. In this article, we'll dive into the nuances so you can get a clear definition between the NIST 800-171 framework with the stricter CMMC 2.0. In doing so, you will be able to better plan for the new regulations and set your organization up for success.
What is NIST 800-171?
The NIST cybersecurity framework has several versions, but for this article, we'll focus on NIST 800-171 as it is the one that deals with controlled unclassified information (CUI).
The framework was published in 2015 to standardize and protect sensitive but unclassified government data in private-sector IT networks. Because that data is handed over to private entities, it goes outside the federal government's purview. That presented a challenge as the federal government needed a way to safeguard the data they were sharing.
Thus, government agencies added the framework as a stipulation in their contracts with private companies. That makes it so that any organization that processes or stores CUI on behalf of the US government is required to comply with NIST 800-171. The published framework contains 110 requirements, each of which mitigates cybersecurity vulnerabilities or strengthens an element of the network.
While it was added as a requirement when dealing with federal contracts, it is still considered a voluntary framework. That means the government or any third-party body doesn't officially audit compliance.
What is CMMC 2.0?
The CMMC, on the other hand, is a framework created by the DoD that was largely based on the NIST 800-171. It was created in response to an increasing number of government contractors who were falsely claiming to meet the NIST framework. That prompted the agency to develop a certification process, ensuring contractors were compliant with a standard set of cybersecurity controls.
In 2021, the Biden administration reviewed the CMMC pilot program, which resulted in significant changes to the framework and re-launched it into what we now know as CMMC 2.0. The new framework will take effect in 2023, impacting over 300,000 companies.
The updated CMMC 2.0 condenses the five levels of the first version into just three. It eliminates all the maturity processes from the previous version and introduces the Plan of Actions and Milestones (POAM). That means organizations that have not yet fully implemented 800-171 must submit a solid plan for achieving full compliance, with specific dates and a timeline.
Another major change is that CMMC certifications can only be issued by a certified third-party assessment organization (C3PAO). That helps ensure erring contractors can no longer self-report as compliant.
How is the CMMC 2.0 Different from NIST 800-171?
Let's take a look at some of the key differences between CMMC 2.0 and NIST 800-171:
It's Mandatory
The updated CMMC 2.0 will require all new and existing defense contractors to comply with the new framework when it takes effect. That means any contractor that fails to meet the requirements by the deadline will no longer be allowed to deal with the DoD. Or, they will have to submit a plan of action and a timeline for how and when they will become fully compliant before any work begins.
It Uses a Maturity Model
The new CMMC requires every contractor to obtain accreditation for a maturity level that matches the sensitivity of the data they will handle. That helps ensure that contractors will need to be accredited before handling sensitive data or upgrading to an appropriate CMMC level.
It Requires Third-Party Assessments
Unlike the NIST framework, compliance with CMMC requires an audit conducted by a C3PAO. That will prevent contractors from falsely self-reporting their compliance. While contractors at the first level of maturity are not required to undergo an audit from a third party, any organization at level two onward will have to submit to an external audit.
Need Help with CMMC or NIST Compliance?
While the CMMC 2.0 is largely based on the NIST 800-171 cybersecurity framework, there are some key differences that you should know before creating your compliance plan.
First is that the CMMC will be mandatory when it takes effect. Second, defense contractors will need accreditation of the appropriate maturity level if they handle sensitive government data. Lastly, firms will need to undergo an audit from a certified third-party assessment organization to get their CMMC certifications.
At ITS, we know how challenging it is to meet compliance requirements. The number of things you need to consider and keep track of can be overwhelming. Find out how we can help. Schedule a meeting with one of our experts to find out how you can get closer to your compliance goals. You can also check out the resources below for more info: