How to Prepare for CMMC and NIST Assessments

If your organization works with US government agencies, including the military, you’ll need to conduct one or more NIST assessments. Getting ready includes determining which standards apply, conducting readiness assessments, implementing, and securing an official assessor.

How prepared are you for NIST compliance? Schedule a consultation to find out.

 

CMMC and NIST Assessment Prep 101

The National Institute for Standards and Technology (NIST) works closely with other government agencies to ensure both internal staff and external contractors keep data secure. They publish regulatory frameworks prescribing controls you need to implement, and individual government departments (like the military) determine assessment requirements based on the frameworks.

Preparing for a NIST assessment is challenging, and you’ll need to follow these four steps:

• Figuring out which regulations or other frameworks apply to you
• Assessing your existing architecture against applicable standards
• Implementing or mapping controls to meet compliance requirements
• Conducting official self-led, third-party, or government-led assessments

Working with a compliance advisor will also help you meet and exceed requirements efficiently.

 

Determine Which Regulations Apply

For general government contractor purposes, the NIST 800 30 risk assessment framework breaks down suggestions and best practices for risk assessments. But for more targeted applications, you’ll need to determine which specific frameworks apply to your organization.

The types of data you come into contact with will determine which regulations apply. In military work, for example, there are two primary sensitive data classes that are tightly regulated:

• Controlled Unclassified Information (CUI) – This includes technical and maintenance data critical to national security. The Information Security Oversight Office (ISOO) CUI Registry houses categories of CUI relevant to the Military and other departments.

• Federal Contract Information (FCI) – This is information of or pertaining to US government contracts about the nature of work performed and parties involved.

NIST’s Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, lays out controls for protecting CUI for any contractor. And a military-specific framework, Cybersecurity Maturity Model Certification (CMMC), builds on these protections and adds safeguarding guidance for FCI for Defense contractors specifically.

Study your prospective contracts carefully and try to get in touch with stakeholders from the government agencies you’re targeting. They will help you determine whether just a NIST risk assessment will suffice or if you instead need to achieve other forms of compliance.

 

Request a Consultation

 

Understanding CMMC Maturity and Levels

CMMC is a program specifically designed for Department of Defense (DoD) contractors. It is overseen by the DoD’s Chief Information Officer (DCIO), with input from the Office of the Undersecretary of Defense (OUSD) for Intelligence and Security (I&S). Together, these offices ensure that organizations in the Defense Industrial Base (DIB) have adequate security maturity to keep the military’s sensitive data—and all US citizens, by extension—safe and secure.

Official CMMC assessments certify organizations to be at one of three Levels of maturity, with increased implementation and assessment requirements for each. They break down as follows:

• CMMC Level 1: Foundational – Organizations implement 15 practices developed from NIST SP 800-171. Annual self-assessment and self-affirmation are required.

• CMMC Level 2: Advanced – Organizations implement 110 practices, covering the entire scope of NIST SP 800-171. Most entities require triennial third-party assessments.

• CMMC Level 3: Expert – Organizations implement an unknown number of practices adapted from SP 800-172. A triennial government-led assessment will be required.

In most cases, determining what kind of assessment you need to conduct will be as simple as consulting the contract you’re targeting, which should clearly state which Level is required.

Consider a Preparatory NIST Assessment

Once your organization has determined which regulations apply to it, you could jump straight into implementing controls and securing an official assessment. However, we recommend a more measured approach that integrates a pre-assessment to gauge your readiness. This can be conducted internally, or you may seek out the services of a NIST or CMMC advisor.

Conducting a NIST vulnerability assessment or readiness assessment will provide insights into which controls or considerations are missing from your current infrastructure. Depending on your security, it also might provide good news—that controls you have in place can be mapped.

 

Mapping NIST Requirements to Other Frameworks

Many organizations that work with other government agencies will have already implemented controls from common NIST standards, like the Cyber Security Framework (CSF) or NIST’s Security and Privacy Controls for Information Systems and Organizations (SP 800-53).

If you have conducted an SP 800-53 or NIST CSF assessment in the past, you may be well on track for SP 800-171 implementation before you even formally begin. Many of these frameworks include mapping guidance that indicates which controls from other NIST texts correspond. 

Consider the following mappings, adapted from the Mapping Tables section in SP 800-171:

• Requirements 3.1.1 and 3.1.2 map onto the following Controls from SP 800-53:
  • AC-2 (Account Management)
  • AC-3 (Access Enforcement)
  • AC-17 (Remote Access)
• Requirement 3.1.3 maps onto SP 800-53’s AC-4 (Information flow Enforcement)
• Requirement 3.1.4 maps onto SP 800-53’s AC-5 (Separation of Duties)

What this snippet shows is that, if your organization has already implemented SP 800-53 controls, the process of SP 800-171 integration will be much simpler. Rather than installing a whole set of new controls from scratch, much of the job is repositioning existing protections.

 

Implement NIST Requirements or CMMC Practices

Whether you’ve conducted a readiness assessment or not, the next step is all about covering your bases and installing all the controls necessary for your Level (CMMC) or threshold (NIST).

And, whether you need CMMC or NIST compliance, you’ll need to implement practices from SP 800-171—and potentially SP 800-172. So, here is a breakdown of controls you’ll need to install for full NIST compliance, or CMMC Level 2, with the potential additions for CMMC Level 3:

• Access Control – 21 Requirements (2 Basic, 19 Derived)
  • Three potential Enhanced AC Requirements for CMMC Level 3
• Awareness & Training – Three Requirements (2 Basic, 1 Derived)
  • Two potential Enhanced AT Requirements for CMMC Level 3
• Audit & Accountability – Nine Requirements (2 Basic, 7 Derived)
• Configuration Management – Nine Requirements (2 Basic, 7 Derived)
  • Three potential Enhanced CM Requirements for CMMC Level 3
• Identification & Authentication – 11 total Requirements (2 Basic, 9 Derived)
  • Three potential Enhanced IA Requirements for CMMC Level 3
• Incident Response – Three total Requirements (2 Basic, 1 Derived)
  • Two potential Enhanced IR Requirements for CMMC Level 3
• Maintenance – Six total Requirements (2 Basic, 4 Derived)
• Media Protection – Nine total Requirements (3 Basic, 6 Derived)
• Personnel Security – Two total Requirements (both Basic, none Derived)
  • Two potential Enhanced PS Requirements for CMMC Level 3
• Physical Protection – Six total Requirements (2 Basic, 4 Derived)
• Risk Assessment – Three total Requirements (1 Basic, 2 Derived)
  • Seven potential Enhanced RA Requirements for CMMC Level 3
• Security Assessment – Four total Requirements (all Basic, none Derived)
  • One potential Enhanced CA Requirement for CMMC Level 3
• System & Communications Protection – 16 total Requirements (2 Basic, 14 Derived)
  • Five potential Enhanced SC Requirements for CMMC Level 3
• System & Information Integrity – Seven total Requirements (3 Basic, 4 Derived)
  • Seven potential Enhanced SI Requirements for CMMC Level 3

Once your mandated selection of Requirements or practices is fully installed, you can run another gap or readiness assessment—or you could begin the official assessment process.

Conduct a CMMC or NIST Assessment

The final step is getting the actual assessment done. For organizations that can self-assess, this will be relatively straightforward. The DCIO provides CMMC Level 1 and Level 2 assessment documentation that can be used to begin a self-assessment at your own pace. If you need third-party or government-led assessment, you need to secure an auditor ahead of time.

For Level 2 third-party assessments, the Cyber AB (formerly CMMC Accreditation Body) certifies vendors you can trust. The best options are organizations committed to working with you holistically, strategizing and implementing controls alongside testing.

At present, governmental assessments are still being developed. It’s unknown what they will comprise or how easy they will be to secure. But what can be safely assumed is that they are likely to be relatively accessible. Unlike other regulations, which can be unforgiving in scope, the CMMC 2.0 framework stresses flexibility. CMMC and NIST maturity assessments gauge relative security and improvements over time. An organization earlier on in its cybersecurity journey may not be ready for exposure to CUI and the suite of risks that comes with processing it at scale.

Whatever threshold of certification you’re seeking, RSI Security will help you achieve it.

 

Optimize Your NIST Assessments Today

Organizations seeking contracts with US government agencies, especially lucrative Defense contracts, often need to prove their security maturity through compliance. The most common frameworks used across all agencies are NIST guides, and military contractors in particular need to implement NIST SP 800-171 (and potentially 800-172) for CMMC and DoD compliance.

RSI Security has helped many organizations prepare for military and other US government contracting work. We believe that discipline creates freedom. We’ll work with your teams to streamline the assessment processes and free up internal resources for what you do best.

To get started preparing for your next NIST assessment, contact RSI Security today!