CMMC and NIST 800-171 Requirements
CMMC and NIST 800-171 are two compliance frameworks that are becoming increasingly important in the United States, particularly for companies that work with the government or handle sensitive information. In this glossary page, we will provide a comprehensive overview of both frameworks, explain the key differences between them, and the requirements to demonstrate compliance with each.
What Are CMMC and NIST 800-171 Frameworks?
The Cybersecurity Maturity Model Certification (CMMC) framework is designed to ensure the security of controlled unclassified information (CUI) and federal contract information (FCI) in the Department of Defense (DoD) supply chain. It is largely based on the NIST 800-171 standards and is divided into three levels. Level 1 (Foundational) requires the implementation of basic cybersecurity practices and the prevention of FCI from unauthorized access, use, or disclosure. Level 2 (Advanced) has more rigorous requirements and focuses on the implementation of more sophisticated cybersecurity practices. Level 3 (Expert) brings the highest level of security for DoD contracts and requires the implementation of advanced cybersecurity practices and capabilities.
The NIST 800-171 framework is a set of security standards that have been developed by the National Institute of Standards and Technology. It is designed to protect controlled unclassified information (CUI) from unauthorized access, use, or disclosure. The framework is divided into 14 families, each focusing on different aspects of data security. The first four families focus on establishing a secure environment, protecting the organization’s assets, ensuring personnel security, and managing access controls. The remaining 10 families focus on different aspects of data security, such as authentication and authorization, incident response, configuration management, and physical and environmental security.
How Do CMMC and NIST 800-171 Requirements and Controls Compare?
Both the CMMC and NIST 800-171 provide organizations with a framework for assessing their security posture, as well as recommendations for implementing processes and controls to better safeguard their systems. Both regulations help organizations by establishing minimum security requirements that must be met in order to be compliant. The controls for CMMC 2.0 Level 2 are aligned with NIST 800-171, which groups security controls into 14 domains.
Both regulations strongly emphasize the importance of documenting a company’s security posture, and provide significant guidance on choosing the right technologies, policies, and best practices. NIST 800-171 provides more detailed instructions on how to implement specific security controls, while the CMMC takes a more holistic approach and does not specify particular technologies or procedures. Both regulations also focus on protecting controlled unclassified information (CUI) and Audit and Accountability standards, as well as helping organizations establish Identity and Access Management policies. Both regulations also include stringent requirements for third-party vendors and contractors.
In the following section, let’s look at the CMMC 2.0 levels and NIST 800-171 requirements in detail.
CMMC 2.0 Levels and Requirements
CMMC 2.0 is a three-tier certification system designed to protect controlled unclassified information (CUI). The three levels of CMMC 2.0 are Foundational (Level 1), Advanced (Level 2) and Expert (Level 3).
CMMC Level 1 (Foundational) is equivalent to CMMC 1.02 Level 1. The 17 controls for Foundational focus on protecting contractor information systems, primarily by limiting access to authorized users. This level provides basic protection of contractor information and only applies to organizations that handle federal contract information (FCI).
CMMC Level 2 (Advanced) is equivalent to CMMC 1.02 Level 3 and includes all of the 14 domains and 110 security controls from NIST SP 800-171. This level is designed for companies that work with CUI.
CMMC Level 3 (Expert) applies to companies that handle CUI for DoD programs with the highest priority. It requires the 110 controls from NIST SP 800-171 in addition to a subset of NIST SP 800-172 controls. This level is designed to reduce a system’s vulnerability to advanced persistent threats (APTs).
NIST 800-171 Requirement Families
The 14 requirement families of NIST 800-171 are the basis for creating a secure information system for federal contractors that handle CUI. These families cover many aspects of securing an information system, from system configuration and access control, to monitoring and audit logging. The specific requirements must be implemented by the contractor in order to remain compliant.
NIST 800-171 Requirement Family #1: Access Control
The Access Control requirements aim to prevent unauthorized access to CUI in order to protect the information and keep it safe. This family of requirements covers topics such as user authentication, session lock, least privilege, access control lists, account monitoring, and more.
NIST 800-171 Requirement Family #2: Audit and Accountability
This family of requirements ensures that individuals and actions are traced back to their point of origin. This is accomplished by recording events in the system and maintaining user activity logs. It also includes requirements for audit log review and audit log protection.
NIST 800-171 Requirement Family #3: Awareness and Training
The Awareness and Training requirements are intended to reinforce the importance of security to the personnel in the system. This includes requirements to provide formal training for personnel on topics such as information handling, system security, and encryption.
NIST 800-171 Requirement Family #4: Configuration Management
The Configuration Management requirements aim to ensure consistent and secure system configurations across the organization. This family of requirements covers topics such as the secure baseline configuration of systems and the use of configuration settings management tools.
NIST 800-171 Requirement Family #5: Identification and Authentication
This family of requirements focuses on how users authenticate and receive access in the system. It includes requirements related to user credentials, multi-factor authentication, cryptographic modules, and more.
NIST 800-171 Requirement Family #6: Incident Response
This family of requirements focuses on preparing for, responding to, and recovering from any security incidents that may occur. It includes requirements related to incident detection, containment, eradication, and recovery.
NIST 800-171 Requirement Family #7: Maintenance
The Maintenance requirements are intended to ensure that system components are regularly maintained in order to increase their security. This family of requirements includes controls such as patching, software and hardware inventories, and antivirus protection.
NIST 800-171 Requirement Family #8: Media Protection
This family of requirements focuses on protecting media, such as hard drives, USBs, and more. It includes requirements related to media labeling, tracking, and sanitization.
NIST 800-171 Requirement Family #9: Physical Protection
The Physical Protection requirements are designed to ensure that the physical environment where CUI is housed is secure. This includes requirements related to alternate site security, environmental protection, and access control.
NIST 800-171 Requirement Family #10: Risk Assessment
The Risk Assessment requirements aim to ensure that risks to the system are identified and addressed. This family of requirements includes controls such as vulnerability scanning, risk assessment, and risk mitigation.
NIST 800-171 Requirement Family #11: System and Communications Protection
This family of requirements focuses on protecting the communications channels and systems in the organization. It includes controls such as encryption, firewalls, demilitarized zones, and network device hardening.
NIST 800-171 Requirement Family #12: System and Information Integrity
The System and Information Integrity requirements are focused on protecting the integrity of the system and the information within it. This includes requirements related to malicious code protection, file system protection, and information input validation.
NIST 800-171 Requirement Family #13: System Security Plan
This family of requirements outlines the steps for creating a system security plan for protecting CUI. It includes controls such as system documentation, system security testing, and plan maintenance.
NIST 800-171 Requirement Family #14: System and Services Acquisition
The System and Services Acquisition requirements are intended to ensure that all systems and services are acquired securely. This family of requirements covers controls such as system and service requirements, secure acquisition practices, and contractor usage of CUI.
Key Differences Between CMMC 2.0 and NIST 800-171
The requirements of the two frameworks have some overlap, but there are some significant differences. The CMMC 2.0 requires organizations to implement advanced cybersecurity practices, such as encryption, vulnerability management, and incident response. In comparison, the NIST 800-171 only requires the implementation of basic cybersecurity practices.
The CMMC 2.0 also requires organizations to provide evidence of compliance with the framework. Organizations must document their implementation of the different requirements and controls and submit their compliance documentation to the DoD. The NIST 800-171 does not require the same level of documentation. Organizations must only make sure that their data security practices meet the requirements.
If I Comply With CMMC 2.0, Am I Compliant With NIST 800-171?
Complying with CMMC requirements does not guarantee compliance with NIST 800-171. CMMC 2.0 was developed specifically for the Department of Defense (DoD) and is intended to protect controlled unclassified information (CUI) held by defense contractors.
While NIST 800-171 also protects CUI, it is a set of standards that applies to all government contractors that handle CUI. In order for contractors to be compliant with NIST 800-171, they must adhere to the specific requirements in all 14 families; compliance with CMMC alone is not sufficient. While the two sets of standards may overlap in many respects, they also differ in some ways. CMMC 2.0 for example provides compliance for smaller contractors by setting the three levels of assessment.
Kiteworks for CMMC 2.0 Level 2 and NIST SP 800-171 Compliance
The Private Content Network provides government contractors a secure file sharing platform that facilitates CMMC 2.0 Level 2 and NIST SP 800-171 compliance. It is a FedRAMP authorized solution for Moderate level CUI that encrypts data in transit and at rest with TLS 1.2 and AES-256 encryption, respectively. Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box and meets all the security requirements specified in NIST SP 800-171. Kiteworks also helps organizations meet other regulations, including ITAR, GDPR, SOC 2 (SSAE-16), and FISMA.
Kiteworks provides a critical layer of security and governance over the users and systems holding and transferring sensitive information like CUI. Organizations seeking compliance with CMMC 2.0 Level 2 compliance or NIST 800-171 can schedule a custom demo of Kiteworks to learn more.