Guide to NIST SP 800-171, CMMC, and NIST SP 800-53 Compliance

If your organization works with government entities as a contractor, you probably have some questions about NIST SP 800-171, CMMC, or even NIST SP 800-53 compliance. Below, we’ll answer questions like what is NIST SP 800 171, how does CMMC differ from it, and what are NIST 800-53 controls? Understanding the answers to these questions covers most everything you need to know for the DoD compliance efforts necessary to secure lucrative contracts with the military and other agencies.

 

Understanding NIST SP 800-171, CMMC, and NIST SP 800-53

There are two primary regulatory frameworks to consider if your organization is seeking contracts—or preferred contractor status—from one of the branches of the US military:

• The NIST Special Publication 800-171 (SP 800-171)
• Cybersecurity Model Maturity Certification (CMMC)

Another, similar framework is used in contracts with many other government agencies:

• The NIST Special Publication 800-53 (SP 800-53)

Working alongside an experienced cybersecurity and compliance partner will help ensure your organization’s implementations of the frameworks meet DoD requirements.

 

DFARS and NIST Special Publication 800-171 Security Baselines

The first regulatory guide to understand for DoD and other, related governmental contract awards is the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

This regulation exists primarily to facilitate self-reporting of controls that all contractors with the US Department of Defense (DoD) need to follow for protecting controlled unclassified information (CUI). These controls were initially established in the Defense Federal Acquisition Regulation Supplement (DFARS), in which clause 252.204-7019 requires NIST SP 800-171 compliance.

NIST SP 800-171 comprises 110 total Requirements, including both its Basic and Derived Requirements. These are distributed across 14 Requirement Families. While compliance with NIST 800-171 is self-reported, the Risk Assessment family does require working with a third-party assessor to verify the efficacy of internal or external risk management and mitigation efforts.

RSI Security offers comprehensive DFARS and NIST SP 800-171 compliance services.

 

Request a Free Consultation

 

NIST SP 800-171 Requirement Families and Security Requirements

As of NIST SP 800-171 r2 (February 2020), the Requirement Families break down as follows:

• Access Control – Two Basic Requirements and 19 Derived Requirements related to secure monitoring and control over access to sensitive data, such as through user IDs.

• Awareness and Training – Two Basic Requirements and one Derived Requirement related to overall awareness programs both provided to and required for all personnel.

• Audit and Accountability – Two Basic Requirements and seven Derived Requirements related to regular audits, audits after special events, and safe storage for all audit logs.

• Configuration Management – Two Basic Requirements and seven Derived Requirements related to security settings and configurations installed on devices.

• Identification and Authentication – Two Basic Requirements and nine Derived Requirements related to user account management details, such as credentials.

• Incident Response – Two Basic Requirements and one Derived Requirement related to the design and implementation of protocols for responding to and recovering from attacks.

• Maintenance – Two Basic Requirements and four Derived Requirements related to regular reparative and maintenance work, along with maintenance after special events.

• Media Protection – Three Basic Requirements and six Derived Requirements related to special considerations for protecting media upon which sensitive data has been stored.

• Personnel Security – Two Basic Requirements (no Derived Requirements) related to measures taken before hiring, for onboarding, and both during and after employment.

• Physical Protection – Two Basic Requirements and four Derived Requirements related to protections installed around individual devices and spaces containing sensitive data.

• Risk Assessment – One Basic Requirement and two Derived Requirements related to measures for identifying, assessing, and addressing vulnerabilities, threats, and risks.

• Security Assessment – Four Basic Requirements (no Derived Requirements) related to ongoing audits and assessments of security program design, deployment, and efficacy.

• System and Communications Protection – Two Basic Requirements and 14 Derived Requirements related to networks used to communicate both internally and externally.

• System and Information Integrity – Three Basic Requirements and four Derived Requirements related to scans for system malfunctions and associated reparative actions.

New Cybersecurity Model Maturity Certification Protections

Moving forward, self-reported compliance with the NIST SP 800-171 framework will no longer suffice for DoD contractors. A new edition to DFARS, clause 252.204-7021, requires contractors to implement the Cybersecurity Model Maturity Certification (CMMC) framework. The CMMC is overseen by the Office of the Under Secretary of Defense for Acquisitions and Sustainment (OUSD(A&S)), which will require all new DoD contracts to include certification by 2026.

The CMMC framework is robust; it includes all of NIST SP 800-171, along with an additional 61 controls, for a total of 171 Practices. These are distributed across 17 Security Domains, and organizations are expected to implement new batches of Practices at each Maturity Level. There is also a Process Maturity goal at each Level, which measures institutionalization.

The breakdown of Practice and Process Maturity at each Maturity Level is as follows:

• CMMC ML 1 – Focused on protecting Federal Contract Information (FCI)

• • • Practice Maturity Threshold: Basic Cyber Hygiene
    • Process Maturity Threshold: Performed

• CMMC ML 2 – Focused on transitioning to full CUI protection (at Level 3)

• • • Practice Maturity Threshold: Intermediate Cyber Hygiene
    • Process Maturity Threshold: Documented

• CMMC ML 3 – Focused on full protection of CUI and FCI

• • • Practice Maturity Threshold: Good Cyber Hygiene
    • Process Maturity Threshold: Managed

• CMMC ML 4 – Focused on shifting attention to Advanced Persistent Threats (APTs)

• • • Practice Maturity Threshold: Proactivity
    • Process Maturity Threshold: Reviewed

• CMMC ML 5 – Focused on APTs and ongoing optimization of all protections

• • Practice Maturity Threshold: Advanced / Progressive
  • Process Maturity Threshold: Optimizing

Full CMMC implementation is verified—and certification is granted—via assessment from a Certified Third Party Assessor Organization (C3PAO). RSI Security has applied to become a C3PAO and should become one soon. Currently, as C3PAOs cannot provide both advisory and assessment services, we are an ideal partner for the implementation phase of full certification.

 

OUSD (A&S) CMMC Security Domains, Capabilities, and Practices

As of the most recent edition, CMMC v1.02 (March 2020), the Domains break down as follows:

• Access Control (AC) – Four Capabilities and 26 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on risk-based separation of duties and privileges.

• Asset Management (AM) – Two Capabilities and two Practices, distinct to CMMC, related to identifying, documenting, and inventorying all sensitive assets.

• Audit and Accountability (AU) – Four Capabilities and 14 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on automation of audit logging and analysis.

• Awareness and Training (AT) – Two Capabilities and five Practices, corresponding to NIST SP 800-171’s, with an added emphasis on exercises responding to real-world risks.

• Configuration Management (CM) – Two Capabilities and 11 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on whitelisting for apps and other software.

• Identification Authentication (IA) – One Capability and 11 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on multifactor authentication (MFA) settings.

• Incident Response (IR) – Five Capabilities and 13 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on the proactive, preventive use of threat intelligence.

• Maintenance (MA) – One Capability and six Practices, corresponding to NIST SP 800-171’s, with an added emphasis on protections for equipment used off-premises.

• Media Protection (MP) – Four Capabilities and eight Practices, corresponding to NIST SP 800-171’s, with an added emphasis on the use of cryptographic controls to protect CUI.

• Personnel Security (PS) – Two Capabilities and two Practices, corresponding to NIST SP 800-171’s, with an added emphasis on protocols for personnel termination and transfer.

• Physical Protection (PE) –  One Capability and six Practices, corresponding to NIST SP 800-171’s, with an added emphasis on protecting equipment at alternate locations.

• Recovery (RE) – Two Capabilities and four Practices, distinct to CMMC, related to the measures required for short and long-term recovery and continuity after a cyber attack.

• Risk Management (RM) – Three Capabilities and 12 Practices, similar to NIST SP 800-171’s Risk Assessment, with a more comprehensive focus on overall management.

• Security Assessment (CA) – Three Capabilities and eight Practices, corresponding to NIST SP 800-171’s, with an added emphasis on penetration testing for advanced insights.

• Situational Awareness (SA) – One Capability and three Practices, distinct to CMMC,  related to cyber threat hunting and compiling intelligence on threats and indicators.

• Systems and Communications Protection (SC) – Two Capabilities and 27 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on packet monitoring.

• System and Information Integrity (SI) – Four Capabilities and 13 Practices, corresponding to NIST SP 800-171’s, with an added emphasis on threat indicators.

Broader Protections Outlined in NIST Special Publication 800-53

NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is the most robust framework of the three reviewed in this guide. Unlike the two above, it is not a requirement for DoD contractors laid out in DFARS. So, what is the purpose of NIST 800-53? It’s a more general document that prescribes security baselines to be used in all companies working closely with government entities. These are not necessarily required, unless your organization’s particular contracts with one or more entities specify so.

SP 800-53 comprises Controls, which are distributed across Control Families. Most Controls break down further into Control Enhancements, of which a whopping 708 are active. The supplementary SP 800-53b, Control Baselines for Information Systems and Organizations, breaks down which of these are most critical, based on risk environment and other factors.

In most cases, the Control Families and certain targets of controls are less specific than in the two DoD-required frameworks detailed above. But in some cases, they are more specific—for example, SP 800-53 details intricate protections for Personally Identifiable Information (PII), irrespective of its status as CUI, FCI, HIPAA-protected, or any other sensitivity.

 

NIST SP 800-53 Control Families for System and Privacy Controls

As of the current edition, SP 800-53 r5 (September 2020), the Controls break down as follows:

• Access Control (AC) – 25 active Base Controls and 108 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s respective sections.

• Awareness and Training (AT) – Six active Base Controls and 10 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Audit and Accountability (AU) – 16 active Base Controls and 41 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Assessment, Authorization, Monitoring (CA) – Nine active Base Controls and 17 active Control Enhancements, distinct to SP 800-53 but similar to CMMC’s CA Domain.

• Configuration Management (CM) – 14 active Base Controls and 42 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Contingency Planning (CP) – 13 active Base Controls and 37 active Control Enhancements, distinct to SP 800 53, related to continuity despite disabled systems.

• Identification and Authentication (IA) – 12 active Base Controls and 43 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Incident Response (IR) – Nine active Base Controls and 31 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Maintenance (MA) – Seven active Base Controls and 21 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Media Protection (MP) – Eight active Base Controls and 12 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Physical and Environmental Protection (PE) – 23 active Base Controls and 29 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• Planning (PL) – 11 active Base Controls and three active Control Enhancements, distinct to SP 800-53, related to protocols for strategizing response and recovery.

• Program Management (PM) – 32 active Base Controls and five active Control Enhancements, distinct to SP 800-53, related to protocols for top-level decision making.

• Personnel Security (PS) – Nine active Base Controls and eight active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• PII Processing and Transparency (PT) – Eight active Base Controls and 13 active Control Enhancements, distinct to SP 800-53, related to detection and protection of PII.

• Risk Assessment (RA) – 10 active Base Controls and 13 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• System and Services Acquisition (SA) – 15 active active Base Controls and 90 active Control Enhancements, distinct to SP 800 53, related to asset or system onboarding.

• System / Communications Protection (SC) – 47 active Base Controls and 92 active Control Enhancements, corresponding to and building upon SP 800-171’s and CMMC’s.

• System and Information Integrity (SI) – 22 active Base Controls and 78 active Control Enhancements, corresponding to and building upon both SP 800-171’s and CMMC’s.

• Supply Chain Risk Management (SR) – 12 active Base Controls and 15 active Control Enhancements, distinct to SP 800 53, related to third-party risk management (TPRM).

 

Achieve DFARS, CMMC, and NIST SP 800-53 compliance

In summary, organizations seeking DoD contracts will need to implement the CMMC framework in full, and soon—even if they’re compliant with NIST SP 800 171, there are many more controls to install beyond NIST’s.

Companies seeking other governmental agencies’ contracts may also need to achieve NIST SP 800-53 compliance, depending on the agency.

Whatever regulatory compliance goals your organization is grappling with, contact RSI Security today to meet them!