GovCon Expert Payam Pourkhomami Explains the Difference Between NIST SP 800-171 and CMMC 2.0—Part 1

By Payam Pourkhomami, President & CEO of OSIbeyond

The Department of Defense has been battling digital threats for decades, striving to fortify the defense industrial base. To achieve this, numerous cybersecurity requirements have been introduced for organizations that process or store controlled unclassified information, or CUI. Among these requirements are NIST SP 800-171 and CMMC 2.0, which, while similar in many ways, also have distinct differences in their approach.

In this article, we will explain the differences between NIST SP 800-171 and CMMC 2.0, and explore how they relate to other existing regulations, namely the Federal Acquisition Regulations and the Defense Federal Acquisition Regulation Supplement, a.k.a. DFARS.

What is the NIST-171?

The National Institute of Standards and Technology Special Publication 800-171 is a set of cybersecurity guidelines created to protect CUI within non-federal information systems and organizations. NIST SP 800-171 was published as a DFARS, specifically DFARS clause 252.204-7012, which was issued in 2016. Today, the 7012 clause is commonly found in both DOD contracts and subcontracts.

Developed based on input from industry experts and government officials under the direction of NIST, NIST SP 800-171 contains the minimum security requirements that the federal government deems necessary to protect CUI data, regardless of the size of the entity that holds the data. The standard consists of 110 requirements, each covering different areas of an organization’s IT technology, policy and practices. These requirements are divided into 14 families:

1. Access control – Limits system access to authorized users and controls the flow of CUI within the system.
2. Awareness and training – Educates team members on the importance of cybersecurity, teaching them how to protect sensitive information effectively.
3. Audit and accountability – Tracks and records system activities, providing a detailed log that can pinpoint who did what and when.
4. Configuration management – Keeps systems running smoothly and securely by standardizing settings and managing changes.
5. Identification and authentication: Identifies and authenticates users and devices accessing the information system to prevent unauthorized access.
6. Incident response: Provides a plan for handling and recovering from cyberattacks.
7. Maintenance: Performs regular updates and fixes to keep your systems strong.
8. Media protection: Secures physical storage of sensitive data (hard drives, etc.).
9. Personnel security: Secures the human element, ensuring that those with access to CUI are thoroughly vetted and managed.
10. Physical protection: Restricts access to the actual buildings and hardware housing data.
11. Risk assessment: Proactively identifies and addresses potential security threats, keeping the organization a step ahead of risks.
12. Security assessment – Regularly evaluates security measures to ensure they’re effective, adapting to new threats as they arise.
13. System and communications protection – Guards data as it travels within and exits an organization’s network.
14. System and information integrity – Maintains the accuracy and trustworthiness of system data, promptly addressing any flaws or vulnerabilities.

There is no certification process for NIST SP 800-171 compliance that contractors would have to pass in order to prove their ability to protect CUI. Instead, contractors are expected to self-assess their compliance with NIST SP 800-171, and they required to demonstrate it only when requested by the DOD.

What is the CMMC?

The self-assessment nature of NIST SP 800-171 resulted in many cybersecurity gaps among DOD contractors, so the DOD decided to create the Cybersecurity Maturity Model Certification. The goal of CMMC is to improve the cybersecurity posture of the DIB by introducing a framework where compliance with specific cybersecurity standards is verified through a mix of self-assessments and third-party assessments, depending on the level and specific contract requirements.

CMMC was first introduced in January 2020 as a five-tier compliance model. In November 2020, the DOD introduced an interim rule via DFARS 252.204-7019 and 7020 to strengthen the existing DFARS 7012 requirements while the CMMC program was being ramped up. This interim rule required contractors to perform a self-assessment against NIST SP 800-171 and provide a score to the DOD prior to contract award.

However, after a comprehensive internal review and public feedback, the DOD announced a new version in November 2021. CMMC 2.0, as this new version is called, is divided into three tiers based on the type of information that DIB members handle. This tiered approach allows for targeted security measures, flexibility and scalability, and streamlined compliance and assessment. The three tiers are:

• CMMC Level 1: Intended for contractors handling only federal contract information, or FCI, this level requires compliance with 17 key requirements derived from the FAR clause 52.204-21. The assessment process for level one is a self-assessment model.
• CMMC Level 2: Designed for contractors handling CUI, this level validates the implementation of the 110 requirements contained in NIST SP 800-171 Revision 2. For level two, the self-assessment option is available, but it may not be practical or applicable for most contractors.
• CMMC Level 3: The highest tier within the CMMC 2.0 program, level three is reserved for contractors integral to the DOD’s most critical programs and technologies. In addition to the 110 requirements of level two, level three includes 24 requirements from NIST SP 800-172. Assessments at this level are conducted directly by the Defense Industrial Base Cybersecurity Assessment Center, a.k.a. DIBCAC.

CMMC 2.0 employs two types of assessments to meet the needs and realities of contractors at different levels: self-assessment and certification assessment. Self-assessments are used exclusively at CMMC Level One and are expected to be adopted by a small percentage of level two contractors. Certification assessments, conducted by a Certified 3rd Party Assessor Organization—or C3PAO—or DIBCAC, are used for the majority of CMMC Level Two and all Level Three contractors.

CMMC 2.0 will be required in contracts by adding a reference to DFARS 252.204-7021. Contractors must obtain certification before or during the bidding process, as there is no provision for certification post-contract award. When a contract necessitates CMMC 2.0 Level 2 or higher, CMMC 2.0 will be incorporated alongside NIST SP 800-171 and DFARS 7012 through DFARS 7021. It is important to note that CMMC 2.0 does not supersede the previous DFARS 7012 requirements.