Home Compliance StandardsCMMC Understanding the Interplay Between CMMC, NIST, and DFARS
CMMCNIST 800-171 / DFARS

Understanding the Interplay Between CMMC, NIST, and DFARS

by RSI Security
written by RSI Security

Organizations that contract with the US Military provide vital materials, products, and services that keep the country—and the world—safe. But to do so effectively, they need to comply with several regulatory standards. The critical ones are all connected: CMMC, NIST, and DFARS.

Is your organization ready for full DoD compliance? Schedule a consultation to find out.

 

CMMC, NIST, DFARS, and Defense Industrial Base Security

Organizations that contract with the Department of Defense (DoD) make up the Defense Industrial Base (DIB). Every single entity in this community comes into contact with large amounts of sensitive information that needs to be protected. The DoD has worked with other governmental and private agencies to develop and maintain security standards to that effect.

In a nutshell, DoD compliance comprises three unique but interconnected frameworks:

CMMC is the most comprehensive suite for the purposes of all potential and current DoD contractors; working with a CMMC compliance partner will help you prepare for the future.

 

The Cybersecurity Maturity Model Certification Program

CMMC is a regulatory framework developed by the DoD and other governmental stakeholders to optimize cybersecurity across the DIB. Its primary goals are related to two forms of data that are present in DIB ecosystems: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). A contractor’s Level and requisite controls depend on which of these kinds of data they process, to what extent, and the amount and severity of threats to the sensitive data.

Currently, the DoD Chief Information Officer (CIO) oversees the CMMC program as the primary compliance authority. Recent updates aim to streamline accessibility for both current and prospective DoD contractors.

Given the newness and dynamism of the program, many organizations may be accustomed to language that has only recently been updated. For example, many organizations were preparing for compliance with one of five “Maturity Levels” in an earlier form of CMMC. Governing bodies have changed as well, as the program used to be run by the Office of the Undersecretary of Defense for Acquisition & Sustainment (OUSD (A&S))—now, as noted above, it’s the DoD CIO.

These changes extend to the assessment ecosystem, which we’ll cover in detail below.

 

How CMMC 2.0 Compares to Earlier Versions of the Program

The biggest changes to CMMC in recent years have been to the framework itself and to the assessment ecosystem (see below). On both fronts, the changes have been in service of making compliance more streamlined and straightforward for every party involved.

The CMMC 2.0 framework comprises 134 total possible controls that contractors need to implement and maintain, depending on which Level they fall into. Unlike prior editions, these controls are direct adaptations of NIST controls (rather than similar and loosely based on them).

As of CMMC 2.0, there are three levels that DoD contractors can be categorized into:

  • CMMC 2.0 Level 1 – Tailored for organizations handling only Federal Contract Information (FCI), with minimal cybersecurity risks and requirements. There are 15 requirements aligned with NIST SP 800-171 (see below), and organizations are able to perform annual self-assessments to comply.
  • CMMC 2.0 Level 2 – Focuses on organizations managing Controlled Unclassified Information (CUI) alongside FCI. It encompasses 110 requirements aligned with NIST SP 800-171 and typically requires triennial third-party assessments with annual affirmations.
      • This level of maturity is roughly equivalent to Level 3 in earlier versions of CMMC. The intermediate Level 2 was phased out in service of simplification.
  • CMMC 2.0 Level 3 – Designed for organizations that process CUI and FCI in high-risk environments with advanced persistent threats (APTs). There are 134 requirements from SP 800-171 and 800-172 (see below) with government-led assessments for compliance.
    • Similarly, this final level is equivalent to Level 5 in earlier versions of CMMC. An intermediate Level 4 was phased out in favor of full APT protection at this stage.

As these breakdowns illustrate, understanding the NIST frameworks from which CMMC derives its requirements is essential to their implementation, assessment, and long-term maintenance.

 

Request a Free Consultation

 

The Impact of NIST Special Publications on the DIB

NIST’s Special Publications influence most if not all frameworks that apply to governmental offices and the private organizations they work with. In the case of CMMC, NIST SP 800-171 and 172 form the basis of the controls and sensibilities that DoD contractors implement to comply. When you implement the CMMC, you are essentially implementing NIST’s controls.

NIST SP 800-171 and NIST SP 800-172 both comprise controls meant to protect CUI. The former defines Basic and Derived Security Requirements, which loosely correspond to CMMC 2.0 Levels 1 and 2, respectively (see below). NIST SP 800-172 expands on these by introducing Enhanced Security Requirements specifically designed to address and mitigate APTs.

Here is an overview of all Requirements across both documents by Requirement Family:

  • Access Control – Restriction, monitoring, and control over access to sensitive systems
      • Two Basic Security Requirements
      • 19 Derived Security Requirements
      • Three Enhanced Security Requirements
  • Awareness and Training – Baselines for training and assessing staff for awareness
      • Two Basic Security Requirements
      • One Derived Security Requirement
      • Two Enhanced Security Requirements
  • Audit and Accountability – Schedules and minimum requirements for regular auditing
      • Two Basic Security Requirements
      • Seven Derived Security Requirements
  • Configuration Management – Baseline settings required on all organizational assets
      • Two Basic Security Requirements
      • Seven Derived Security Requirements
      • Three Enhanced Security Requirements
  • Identification and Authentication – User identity, account, and credential management
      • Two Basic Security Requirements
      • Nine Derived Security Requirements
      • Three Enhanced Security Requirements
  • Incident Response – Protocols for mitigation and recovery in the event of an incident
      • Two Basic Security Requirements
      • One Derived Security Requirement
      • Two Enhanced Security Requirements
  • Maintenance – Scheduling for regular and special event updates and repair work
      • Two Basic Security Requirements
      • Four Derived Security Requirements
  • Media Protection – Safeguards for onboarding, managing, and terminating devices
      • Three Basic Security Requirements
      • Six Derived Security Requirements
  • Personnel Security – Protections during recruitment, hiring, and personnel moves
      • Two Basic Security Requirements
      • Two Enhanced Security Requirements
  • Physical Protection – Restrictions on physical and proximal access to sensitive data
      • Two Basic Security Requirements
      • Four Derived Security Requirements
  • Risk Assessment – Mandates for risk monitoring, analysis, and overall mitigation
      • One Basic Security Requirements
      • Two Derived Security Requirements
      • Seven Enhanced Security Requirements
  • Security Assessment – Regular system-wide assessments to ensure efficacy
      • Four Basic Security Requirements
      • One Enhanced Security Requirement
  • System and Communications Protection – Controls across communications
      • Two Basic Security Requirements
      • 14 Derived Security Requirements
      • Five Enhanced Security Requirements
  • System and Information Integrity – Protections for confidentiality and privacy
    • Three Basic Security Requirements, 
    • Four Derived Security Requirements
    • Seven Enhanced Security Requirements

Note that while NIST’s Basic and Derived Requirements inform CMMC 2.0 Levels 1 and 2, they do not directly correspond in a one-to-one manner. For example, Access Control has two Basic Security Requirements in NIST, but there are four AC requirements for CMMC 2.0 Level 1.

However, there is a direct correspondence between Enhanced Requirements and CMMC 2.0 Level 3—only organizations at that level are expected to implement these advanced controls.

 

Request a Free Consultation

 

How DFARS Shapes DoD and DIB Cybersecurity

DFARS serves as the foundational regulation driving the need for CMMC and NIST compliance across the Defense Industrial Base (DIB). The Federal Acquisition Regulation (FAR) applies to all executive agencies and sets up parameters for their dealings with entities across the public and private sectors. DFARS is a supplement to these rules that applies specifically to the branches of the US Military. Given the scope and sensitivity of the DoD’s relationship-building, DFARS places special emphasis on security and privacy.

In essence, several SFARS clauses within DFARS 252.204 stipulate that contractors working with the US Military need to conduct assessments to ensure compliance with NIST. The CMMC program was born out of an effort to simplify and streamline these requirements. In a nutshell, NIST’s standards have always been what US Military contractors have needed to achieve, per DFARS. CMMC streamlined these requirements into a more accessible implementation and assessment scheme, and DFARS is the baseline document that requires CMMC and NIST.

What this all means in practice is that CMMC is the regulation to focus on for contractors.

 

Assessments for CMMC and DoD Compliance

As noted above, recent changes to CMMC have impacted the assessment ecosystem. In particular, more organizations are now eligible to self-assess, and the processes and oversight over high-level assessments have changed. While the DoD CIO is in charge of overall CMMC governance, it’s not the only entity overseeing assessments. Other players are the Cyber-AB (formerly the CMMC Accreditation Body) and DIB Cybersecurity Assessment Center (DIBCAC).

Organizations at CMMC 2.0 Level 1 are generally eligible to self-assess their implementation. A Level 1 Self-Assessment Guide is available from the DoD CIO. However, it is still recommended for these organizations to work closely with an advisor to ensure their assessments go smoothly.

The vast majority of organizations seeking CMMC compliance should be targeting Level 2. This involves full coverage of NIST SP 800-171 and, maybe more critically, a third-party assessment. These assessments need to be conducted by Certified Third Party Assessment Organizations (C3PAOs), who themselves go through rigorous vetting via the Cyber AB. Working with an advisor in the run-up to formal assessment helps, and the best C3PAO partners can also provide comprehensive support in scoping, preparation, and implementation processes.

Organizations at CMMC 2.0 Level 3 also have their work cut out for them, as they need to undergo a government-led assessment through DIBCAC. As with Levels 1 and 2, organizations should work with an advisor to prepare for these formal triennial assessments.

 

Prepare for Full DoD Compliance, Efficiently

Together, DFARS, NIST, and CMMC create a cohesive framework to secure sensitive data within the Defense Industrial Base, safeguarding national security and operational integrity. By extension, they ensure the security of the armed forces and of Americans across the country and the world. Understanding the interplay between these frameworks and rulesets is essential to establishing a relationship with the DoD.

RSI Security is a fully accredited C3PAO vetted and listed by the Cyber-AB. Our experience working with military and other government contractors is extensive, and we’ve been helping organizations prepare for full DoD compliance since long before the current version of CMMC was released. We know that discipline upfront unlocks the freedom to grow in the long-run.

To learn more about how we can help you comply, contact RSI Security today!

 

Contact Us Now!

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

10 Things DoD Contractors Need to Know About...

April 16, 2020

NERC vs. NIST: Choosing the Right Infrastructure Cybersecurity...

September 9, 2020

Who Can Decontrol CUI?

March 12, 2024

What is CUI Basic?

March 21, 2023

Understanding the List of DFARS Compliant Countries 2023

December 16, 2022

CMMC 2.0: Transforming Cybersecurity for the Defense Sector

October 25, 2024

How to Find the Right CMMC Consulting Partner

August 9, 2023

NIST Security Operations Center Best Practices

September 16, 2021

Cybersecurity Maturity Model Certification Accreditation Body Certifications, Explained

October 19, 2021

Overview of CMMC Level 4 Requirements

December 15, 2020

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More