On Nov 5, 2020, the Defense Department issued a notice to formalize an information collection for the next three years, requiring all contractors working for the Department of Defense and subcontractors to submit their basic self-assessment on compliance with NIST (SP) 800-171 via DOD’s Supplier Performance Risk System (SPRS) starting Nov 30, 2020, governing the use of controlled unclassified information (CUI) for the acquisition officials and for DoD to immediately begin assessing vulnerabilities in its supply chain exist and take steps to correct such deficiencies. This is part of an interim rule issued by DOD on Sept. 29, 2020 that is implementing its Cybersecurity Maturity Model Certification (CMMC) program in all DOD contracts by Oct. 25, 2025.

All contractors working for the Department of Defense and subcontractors must pass a CMMC (cybersecurity maturity model certification) audit to ensure controls and processes are in place and working properly to protect controlled unclassified information (CUI). The decision to create, and mandate such a framework is a response from the Department of Defense, in an effort to protect sensitive information, and prevent data theft.

Controlled Unclassified Information (CUI)

According to National Archives: ‘Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.’

What is NIST 800-171?

NIST 800-171 is a set of requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. This focuses on protecting unclassified information in non-federal information systems and organizations.

By implementing these NIST standards, organizations can identify sensitive information and standardize how that information is handled and data is distributed. Policies allow processes to be streamlined while providing risk mitigation enhancing the overall security posterity of organizations and provides a much smoother business experience as policies provide guidance to operation.

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) aims to properly secure the Defense Industrial Base (DIB) by addressing the oversight and assurance gaps within DFARS 252.204-7012 for CUI data and extends the scope of oversight to encompass both CUI and Federal Contract Information (FCI) as specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21, and incorporating into Defense Federal Acquisition Regulation Supplement (DFARS) to become a requirement for contract award.

The DIB delivers a complex mix of products and services to the DoD through a supply chain of over 300,000 primary and subcontract suppliers.  A single cyber security model will not appropriately support such an economically and technically diverse supply chain with varying degrees of cyber maturity.  Given the depth, breadth and complexity of the products and services being delivered, from footwear through to complex air, land and sea-based systems.   A cybersecurity maturity model is the most appropriate solution to achieve this.

The CMMC comprises of 5 levels of cyber maturity.  Each level of the CMMC is designed to accommodate different levels of cybersecurity maturity, accommodating different levels of process maturity, increasing the number of security domains and levels of practice.  They are designed to support DIB suppliers who require basic cyber security hygiene at level 1, through to complex DIB suppliers who are actively targeted by threat actors, potentially from a nation state at level 5.  The level of compliance will be defined by the DoD during the procurement process, mapped to the data which the contract will managed, FCI or CUI and the perceived threat to the DoD.  With levels 1 and 2 being associated with FCI data and levels 3, 4 and 5 with CUI.

Level 1 – CMMC Level 1 focuses on basic cyber hygiene and ensures requirements specified in 48 CFR 52.204-21 are applied. At this level and Level 2, organizations can be given FCI (Federal Contract Information). The FCI does not include information generated by the Government for public purposes like public-facing websites. While security practices are expected to be followed, Level 1 organizations do not exhibit process maturity and practices are not institutionalized.

Level 2 – CMMC Level 2 focuses on intermediate cyber hygiene. This set of security practices gives the organization at Level 2, a better ability to protect data, and keep the business operational against cyber threats. Organizations document their standard operating procedures (SOP), policies, and a Strategic Plan for all security domains to guide the fulfillment of its security program.

Level 3 – Organizations assessed at CMMC Level 3 show good cyber hygiene and are capable of protecting their Assets and accessing and producing CUI. They have the ability to face modern attackers (APT’s), and manage security incidents & actions, while exercising robust security controls. Adequate resource activities and review, Established policies and procedures, and Process documentation demonstrate Security Processes Maturity.

Level 4 – At CMMC Level 4, an Organization has developed a robust and forward-thinking, anticipatory cybersecurity program. The organization has the ability to contour its protections to thwart the ever-changing tactics, techniques, and procedures (TTPs) in use by APTs (advanced persistent threats). These organizations review and document all activities, measure performance and inform senior management of any issues, demonstrating further maturity.

Level 5 – Organizations assessed at CMMC Level 5 have advanced cybersecurity program that demonstrates an ability to optimize their cybersecurity capabilities in an effort to dissuade APTs. These organizations ensure standardization in their process implementation across the organization units.

CMMC Framework

The CMMC framework is built on three elements – Security domains, Capabilities, and Controls (Practices), and when combined they prescribe best practices for the protection of an organization and associated FCI and CUI.  These elements apply at five cybersecurity maturity levels (Level 1, 2, 3, 4 and 5) in the overall CMMC framework, Level 1 being the least mature and level 5 the most mature.

Cybersecurity Domains the CMMC framework consist of 17 cyber security domains.  A domain is a distinct group of security practices which have similar attributes to each other and are key to the protection of FCI and CUI, either individually or in combination.  The following table outlines the domains defined in the CMMC for the protection of FCI and CUI within the CMMC framework.

Capabilities Each domain comprises of several capabilities which an organization is expected to achieve, to ensure that cyber security and the protection of FCI and CUI is sustainable.  Capabilities are a combination of practices, processes, skills, knowledge, tools and behaviors which when working together enable an organization to protect FCI and CUI.

Security Controls – In total (at Level 5) the CMMC framework identifies 171 security controls, associated with the 17 security domains and 43 security capabilities, mapped across the 5 maturity levels.  Security controls applied at maturity level 1 and level 2 have been referenced from FAR 52.204-21 for the basic safeguarding of covered contractor information systems applied to the protection of Federal Control Information (FCI).  Security Controls applied at level 3, 4 and 5 are referenced from DFARS 252.204-7012 for the safeguarding of covered defense information and cyber Incident reporting. See below how these Security Controls (Practices) apply to each Maturity Level.  

If I Comply With CMMC, am I Compliant with NIST 800-171?

The short answer is no. Alone, passing a CMMC audit does not imply you are compliant with NIST 800-171. The focus of CMMC is the controls surrounding CUI. CMMC does not have NFO controls that are contained in NIST 800-171. Unlike NIST SP 800-171, CMMC uses five levels of cybersecurity. Along with evaluating the maturity of a company’s controls, the CMMC also gauges a company’s maturity regarding cybersecurity practices and processes. The CMMC streamlines many cybersecurity standards into one model. The majority of these domains originate from the Federal Information Processing Standards (FIPS) Publication 200 and the related standards from NIST SP 800-171.