By Payam Pourkhomami, President & CEO of OSIbeyond
Read part one here
What is the difference between NIST SP 800-171 and CMMC?
| Aspect | NIST SP 800-171 | CMMC 2.0 |
| Certification process | Self-assessment only | Self-assessments combined with mandatory third-party certification for most Level 2 contractors and all Level 3 contractors |
| Requirements | Narrowly focused on controlled unclassified information protection | Broader, covering cybersecurity maturity beyond just CUI handling |
| Plan of actions and milestones | Allows organizations to have a POA&M in place at the start of an assessment with no limit on the number of practices included. | Introduces structured guidelines for POA&Ms, specifying that not all requirements can be deferred, particularly the highest weighted requirements. Allows for a limited waiver process for select mission-critical needs, subject to senior Department of Defense leadership approval. |
As the above-provided descriptions of NIST SP 800-171 and CMMC 2.0 show, the two frameworks differ in several important aspects.
Certification process
NIST SP 800-171 does not require a formal certification process. Contractors self-assess their compliance with the framework’s 110 security requirements and implement necessary measures to meet these standards. This self-assessment approach allows for flexibility but has led to inconsistencies in the implementation and enforcement of cybersecurity measures across the defense industrial base.
CMMC 2.0 introduces a certification process that varies based on the level. Level 1 requires self-assessment, while most Level 2 and all Level 3 contractors must undergo assessments conducted by accredited third-party assessors. This process verifies that contractors have implemented the required cybersecurity practices and processes at one of three defined levels of maturity. The certification is intended to create a standardized level of cybersecurity across all contractors within the DIB.
Scope
The scope of NIST SP 800-171 is narrowly focused on protecting controlled unclassified information, or CUI, by establishing baseline cybersecurity standards. It consists of 110 security requirements that contractors must self-assess and implement to ensure the protection of CUI within their systems and organizations.
On the other hand, CMMC 2.0 has a broader scope, covering cybersecurity maturity beyond just CUI handling. While CMMC Level 1 and 2 include only the 110 security requirements from NIST SP 800-171, CMMC Level 3 goes further by incorporating additional requirements from NIST SP 800-172. These extra requirements address advanced cybersecurity practices such as:
- Establishing and maintaining a security operations center capability that operates at a specified frequency (3.6.1e).
- Conducting penetration testing at a specified frequency, leveraging automated scanning tools and ad hoc tests using subject matter experts (3.12.1e).
- Verifying the integrity of security-critical or essential software using root of trust mechanisms or cryptographic signatures (3.14.1e).
- Monitoring organizational systems and system components on an ongoing basis for anomalous or suspicious behavior (3.14.2e).
Plan of actions and milestones
NIST SP 800-171 allows organizations to have a POA&M in place at the start of an assessment and provides an action plan with specific dates for attaining full compliance while working with federal agencies. There is no limit to the number of practices that can be included in a POA&M, providing organizations the latitude to manage and prioritize their compliance efforts as they see fit.
CMMC 2.0 introduces more structured guidelines regarding the use of POA&Ms. While it still allows for the use of POA&Ms, CMMC 2.0 specifies that not all requirements can be deferred to the POA&M. Particularly, the highest weighted requirements, which are deemed critical for the protection of CUI, cannot be included in a POA&M. This approach guarantees that certain foundational cybersecurity practices are in place prior to contract award.
CMMC 2.0 also introduces a limited waiver process. This process allows for the exclusion of certain CMMC requirements from acquisitions for select mission-critical needs, subject to senior DOD leadership approval. The waiver process is applied to the entire CMMC requirement, not individual cybersecurity practices, and is intended for use in very limited circumstances.
Conclusion
NIST SP 800-171 remains the cornerstone of cybersecurity for handling CUI, but CMMC 2.0 raises the bar by mandating third-party assessments and introducing a tiered structure that reflects an organization’s cybersecurity maturity. This shift towards third-party certification for most Level 2 and all Level 3 contractors aims to create a more robust and consistent cybersecurity posture across the defense industrial base. As a result, contractors must now prioritize not only the implementation of security controls but also the demonstration of their effectiveness to an external assessor.
For more information, download OSIbeyond’s DoD Contractor’s Guide to CMMC 2.0 Compliance.
To continue the conversation on cybersecurity and better understand the needs of top U.S. government agency cyber officials, register to attend Potomac Officers Club’s June 6th Cyber Summit. It will feature renowned experts like DOD’s David McKeown and ManTech’s Chris Cleary (formerly of the Department of the Navy) and ample opportunities for networking and Q&A.
