There are many lucrative pathways available to companies who contract with the United States Department of Defense (DoD). However, robust cybersecurity is a prerequisite for winning coveted DoD contracts. Not sure what that takes, or what CMMC vs NIST 800-171 mapping and implementation means? This guide will walk through everything you need to know to get started.
CMMC vs. NIST 800-171 Mapping
Many of the most important cybersecurity requirements for governmental agencies, and the companies that work with them, are intertwined and distributed across many different frameworks. In some cases, this can cause confusion; it can be unclear whether the controls you’ve implemented for one system can “count” toward similar requirements of another system.
In the sections below, we’ll walk you through:
- What NIST SP 800-171 requires, in detail
- Which CMMC Levels correspond to SP 800-171
- How to simplify mapping one onto the other
Let’s get started!
NIST 800-171: Overall Scope and Core
The document Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, better known as SP 800-171, is a publication of the National Institute of Standards and Technology (NIST). It exists primarily to protect controlled unclassified information (CUI) that government agencies and their contractors come into contact with.
But SP 800-171 is not the only regulatory document such companies need to follow; there are various other legal guidelines applicable, including but not limited to:
At the core of NIST SP 800-171 are 110 Security Requirements, distributed across 14 Requirement Families. These are informed by the sources above, as well as other regulatory texts. For example, DFARS Clause 252.204-7012 specifies the specific requirements for CUI that Sp 800-171 addresses.
SP 800-171 Requirement Families and Practices
The following is a synopsis of the Requirements, as they break down across the 14 Families:
- Access Control – 22 Requirements (2 Basic, 19 Derived) that limit and monitor individuals’ ability to access sensitive information and networks where it’s located.
- Awareness and Training – 3 Requirements (2 Basic, 1 Derived) that ensure adequate understanding of cybersecurity risks and procedures through intensive training.
- Audit and Accountability – 9 Requirements (2 Basic, 7 Derived) that specify basic protocols and minimums necessary for accountability through periodic assessments.
- Configuration Management – 9 Requirements (2 Basic, 7 Derived) that define particular settings to be used in place of factory defaults, which must be removed.
- Identification and Authentication – 11 Requirements (2 Basic, 9 Derived) that define the particular methods for verification of identity for access granting purposes.
- Incident Response – 3 Requirements (2 Basic, 1 Derived) that detail a systematic plan and program for identifying, responding to, and minimizing the impact of incidents.
- Maintenance – 6 Requirements (2 Basic, 4 Derived) that govern what routine and special maintenance comprise and how often they must occur, among other factors.
- Media Protection – 9 Requirements (3 Basic, 6 Derived) that detail the safeguards in place for physical and digital media that contain or pertain to sensitive information.
- Personnel Security – Just 2 Basic Requirements that limit the access to sensitive information of internal staff and stakeholders through screening and special privileges.
- Physical Protection – 6 Requirements (2 Basic, 4 Derived) that define limitations to physical and proximal access to devices and networks containing protected information.
- Risk Assessment – 3 Requirements (1 Basic, 2 Derived) that govern an organization’s programmatic approach to risk, including scanning, identification, response, and logging.
- Security Assessment – Just 4 Basic Requirements that detail minimum specifications for and frequency for organization-wide assessments of the security infrastructure.
- System and Communications Protection – 16 Requirements (2 Basic, 14 Derived) that safeguard internal and external communication related to protected information.
- System and Information Integrity – 7 Requirements (3 Basic, 4 Derived) that govern the protocols for reporting on and responding to flaws in security architecture.
Mastering all 110 individual cybersecurity controls can be a lot for an institution to handle. That’s part of the reason why the CMMC was developed, as a tiered approach that enables a more gradual, stepwise approach to full implementation. Mapping NIST SP 800-171 onto CMMC is easier if you begin from a place of having all 110 NIST controls in place already.
In fact, the entirety of the NIST 800-171 is incorporated into CMMC wholesale.
CMMC: Relevant Levels and Controls
The Cybersecurity Maturity Model Certification (CMMC) is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). At the core of the CMMC, like NIST SP 800-171, lie a number of core cybersecurity elements. In CMMC, they are called “Domains” rather than “Families,” and each Domain comprises Capabilities (43 in total).
Domains also break out into 171 Practices, which correspond to Requirements in SP 800-171.
Of the 17 Security Domains, all but 3 correspond directly to NIST Requirement Families of the same name. Here is the breakdown (with unrelated Domains bolded):
- AC: Access and Control
- AM: Asset Management
- AU: Audit and Accountability
- AT: Awareness and Training
- CM: Configuration Management
- IA: Identification and Authentication
- IR: Incident Response
- MA: Maintenance
- MP: Media Protection
- PS: Personnel Security
- PE: Physical Protection
- RE: Recovery
- RM: Risk Management
- CA: Security Assessment
- SA: Situational Awareness
- SC: Systems and Communications Protection
- SI: System and Information Integrity
Unlike NIST SP 800-171, CMMC is a tiered approach to cybersecurity, developing cyberdefense posture in stages, called “Maturity Levels.” At each Level, Practices are introduced from select Domains. These are cumulative so that by Level 5, an organization will have implemented all 171 practices. By Level 3, the 130 Practices encapsulate the entirety of SP 800-171.
So, let’s take a close look at the first 3 Levels and the controls they map over from NIST.
Level 1: Basic Cyber Hygiene, FCI Protection
At Level 1, there are just 17 Practices, spread across 6 Domains. All of them map directly from corresponding NIST SP 800-171 Requirements and Families, respectively:
- Level 1 AC – 4 Practices focused on the restriction of internal access to information by user and function, as well as controlling external and public access to the same.
- Level 1 IA – 2 Practices dedicated to Identifying users and verifying identity for access.
- Level 1 MP – Just 1 Practice requiring complete erasure of sensitive information and all traces thereof from devices and media being disposed of, recycled, reused, etc.
- Level 1 PE – 4 Practices limiting and logging physical access to sensitive information.
- Level 1 SC – 2 Practices safeguarding communications, especially at perimeters and borders of the organization, and partitioning public- and private-facing networks.
- Level 1 SI – 4 Practices specifying protocols for periodic scans for flaws in the system, including especially malicious code, and updates to resist detected issues.
Level 2: Intermediate Cyber Hygiene, Transition to CUI
There are 55 total new Practices introduced at Level 2. Of these, all but 7 (48 total) map directly from corresponding NIST SP 800-171 Requirements, across the following Domains:
- Level 2 AC – 10 Practices tightening access limitations with new safeguards like “least privilege” principles and procedures for locking sessions and controlling remote access.
- Level 2 AU – 4 Practices building minimum requirements for regular assessments, as well as particular requirements for diligent logging thereof (timestamps, etc.).
- Level 2 AT – 2 Practices necessitating training for personnel at all levels who use systems with sensitive information, especially those who deal specifically with said data.
- Level 2 CM – 6 Practices requiring updates to configurations of devices and software and detailing particular criteria that should inform settings, such as “least functionality.”
- Level 2 IA – 5 Practices further extending restrictions on access via authentication by specifying minimum password complexity and requiring regular updates and encryption.
- Level 2 IR – 5 Practices introducing a requirement for and governing systematic incident response protocols, including methods for analysis, response, and recovery in real-time.
- Level 2 MA – 4 Practices requiring regular maintenance be performed on physical and digital resources and specifying how, including special controls for remote maintenance.
- Level 2 MP – 3 Practices further restricting access to media with special safeguards in place for physical media and storage thereof, as well as controlling “removable” media.
- Level 2 PS – 2 Practices introducing protective measures like screening and privilege review related to hiring, firing, promotion, and other transitional periods for personnel.
- Level 2 PE – Just 1 Practice extending out physical and perimeter protections to include relevant facilities and supportive infrastructure, internal and external to the physical location.
- Level 2 RM – 3 Practices introducing risk management as a systematic approach and specifying methods for scanning and remediating risks and vulnerabilities in real-time.
- Level 2 CA – 3 Practices introducing a need for regular assessment of security practices, as well as a systematic approach to correcting any and all flaws identified.
- Level 2 SC – 2 Practices requiring organizations to disable remote access to collaborative computing systems and utilize encryption for device management.
- Level 2 SI – 3 Practices extending the scope of integrity monitoring to all communications and systems and requiring immediate action to address alerts.
Level 3: Good Cyber Hygiene, Complete CUI Protection
Finally, Level 3 introduces 58 total Practices. All but 13 of them (45 total) map directly from corresponding NIST SP 800-171 Requirements, across the following Domains:
- Level 3 AC – 8 Practices further limiting the scope of access with advanced methods, like encryption, and restriction of privileged functionalities to only privileged accounts.
- Level 3 AU – 7 Practices increasing the privacy and scope of audits and logs, including restricting audit functions by privilege and regularly monitoring and correcting logs.
- Level 3 AT – Just 1 Practice expanding the scope of training to empower personnel’s assessment of peers and monitoring for threats and vulnerabilities among staff by staff.
- Level 3 CM – 3 Practices increasing safeguards applicable via settings, including the elimination of inessential software and “blacklisting” or “whitelisting” of use cases.
- Level 3 IA – 4 Practices further extending the protection of identification systems, controlling for repeat use of credentials, and using multi-factor authentication (MFA).
- Level 3 IR – 2 Practices expanding the scope of the incident response management, requiring reporting internally and externally and regular testing of IR capacities.
- Level 3 MA – 2 Practices expanding the extent of regular and special maintenance practices, sanitizing the equipment before external transport, and screening incoming media.
- Level 3 MP – 4 Practices further safeguarding media related to sensitive information with restricted access, cryptography, and limits on portability and transportation thereof.
- Level 3 PE – Just 1 Practice, extending the boundaries of physical safeguards to any and all external and alternative work sites outside the office or headquarters.
- Level 3 RM – 3 Practices building out the risk management program to be more thorough, including paying special attention to products not supported by vendors.
- Level 3 CA – 2 Practices expanding the scope of security assessment, including specific protocols for assessing apps and software developed internally for internal use.
- Level 3 SC – 15 Practices drastically increasing depth and breadth of communications safeguards with advanced measures like encryption, whitelisting, and VoIP monitoring.
- Level 3 SI – 3 Practices heightening awareness of and ability to respond to flaws in system architecture, such as “sandboxing” and advanced filters for spam and forgery.
CMMC NIST 800-171 Mapping Made Simple
Mapping one framework onto the other is a relatively straightforward process. In fact, as noted above, implementation of the CMMC, at least up to Maturity Level 3, is actually facilitated by the implementation of NIST SP 800-171. The difficulty comes from actually setting up the cybersecurity infrastructure needed — not just for certification, but for long term success.
To that effect, one of the best solutions available is an all-in-one DoD contractor cybersecurity package, such as RSI Security’s NIST 800-171, DFARS, and CMMC services. Our team of experts will work with you to implement all 110 SP 800-171 practices, no matter what your starting cybersecurity posture is, to prepare you to work with any and all government agencies.
Then, to achieve full certification at CMMC Level 3 and beyond, you’ll need to contract with a Certified Third-Party Assessment Organization (C3PAO), accredited by the CMMC Accreditation Body. We also offer a dedicated CMMC services package that includes certification, as well as any and all cyberdefense tailoring it takes to get your organization ready for certification.