CMMC

NIST SP 800-171 Basics: What You Need to Know

In January 2020, the Department of Defense released the CMMC, which is the latest iteration of the cybersecurity framework for prime and subcontractors. This is new cyber security standard for defense contractors, many of whom were using NIST 800-171 as the previous security guidance. Although there is some overlap in the two programs, there are distinct differences between the programs that we will discuss below.

What is NIST SP 800-171?

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It provides set standards for defining how to safeguard and distribute material deemed sensitive but not classified.

NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in the creation of several new security standards and guidelines. NIST 800-171 was created, in part, to improve cybersecurity, especially after numerous well-documented breaches such as the U.S. Postal Service and National Oceanic and Atmospheric Administration.

Why & When is NIST SP 800-171 Certification Necessary?

NIST 800-171 was a previous cybersecurity standard for government contractors who handled CUI in non-Federal Information Systems. The controls set forth in NIST 800-171 align closely to those in CMMC Level 3. However, the major difference between the two is in how the security standards are/were implemented. NIST 800-171 only required self-attestation; that is, organizations could state that they had met all the security controls and/or had a plan in place to address them.

To achieve CMMC Level 3 certification, a defense contractor must work with a Certified Third-Party Authorizing Organization (C3PAO) to assess the contractor’s security processes, practices and maturity. The C3PAO will then make a recommendation to the CMMC Accreditation Body (CMMCAB) regarding which level the contractor should qualify for. The CMMCAB is in the process of developing training now to get C3PAOs trained and certified.

What Are The Requirements of NIST SP 800-171?

Government Contractors who need access to CUI must implement and verify compliance and create security protocols for 14 key areas of NIST 800-171. As we mentioned earlier, CMMC is the new cybersecurity standard for the Defense Industrial Base, but it is important to note that the NIST 800-171 controls form an important part of the standards. Here’s a quick look at the specific controls as outlined in NIST 800-171:

1. Access Control: Who is authorized to view this data?
2. Awareness and Training: Are people properly instructed in how to treat this info?
3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
4. Configuration Management: How are your networks and safety protocols built and documented?
5. Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
6. Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
7. Maintenance: What timeline exists for routine maintenance, and who is responsible?
8. Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
9. Physical Protection: Who has access to systems, equipment and storage environments?
10. Personnel Security: How are employees screened prior to granting them access to CUI?
11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
12. Security Assessment: Are processes and procedures still effective? Are improvements needed?
13. System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
14. System and Information Integrity: How quickly are possible threats detected, identified and corrected?

How Does It Compare to CMMC?

Though CMMC and NIST 800-171 are similar in nature and share a common goal – the protection of CUI – there are distinct differences between the two:

• CMMC will be a contractual requirement, included in RFIs beginning in June 2020. CMMC will also require an audit by a Cybersecurity 3rd-party Authorization Organization (C3PAO). NIST 800-171 merely requires self-attestation.
• CMMC has 5 levels of compliance, depending on the sensitivity of the information in any given contract, whereas NIST SP 800-171 has one basic level with an additional supplement for enhanced protections (NIST SP 800-171B).
• CMMC includes several cybersecurity controls and standards into a (new) single framework; in this sense, NIST 800-171 is one of many foundational elements of CMMC.
• Like NIST 800-171, CMMC will assess the cybersecurity controls of the company. However, CMMC will also evaluate and confirm a contractor’s maturity, especially with regards to processes and practices.

Once DoD contractors acquire their CMMC certification, they will be required to get re-certified at the appropriate time. As we have already mentioned, NIST 800-171 only required self-attestation for the standard to be met.

Learn More About CMMC

NeoSystems Provides Comprehensive CMMC Compliance Solutions

NeoSystems offers a comprehensive CMMC compliance solution for government contractors. We allow you to shift the compliance burden to NeoSystems, and we take on the responsibility for successfully achieving CMMC certification on the client’s behalf. Contact us today to schedule a complimentary consultation with our security experts.

Contact NeoSystems