For the uninitiated, the world of cybersecurity compliance and cybersecurity standards may be exceedingly perplexing.There are several acronyms, restrictions, and regulations.If you are a federal contractor in the United States, cybersecurity compliance is no longer optional.With the introduction of CMMC, the Federal Government is taking security compliance extremely seriously and is adopting a more aggressive enforcement posture.
What exactly is NIST 800-171?
If you work for the government, you’ve probably heard of National Institute of Standards and Technology (NIST) Special Publication 800-171. NIST 800-171 is a cybersecurity framework designed to assist Federal Contractors and individuals in the Department of Defense supply chain in securing Controlled Unclassified Information (CUI). NIST 800-171, like many other cybersecurity frameworks, employs the idea of Security Controls to identify specific actions that must occur in order to offer effective protection.
NIST 800-171 includes 171 security controls ranging in complexity from information security fundamentals such as avoiding unauthorized physical access to IT systems to ensuring change management processes are in place. Security controls also include more complicated mechanisms aimed to identify or block more advanced nation-state attacks, which are often used.
Is NIST 800-171 certification available?
The current DFARS method focuses on self-certification, hence there is no nist 800-171 certification This is rapidly changing. The Department of Defense announced the establishment of the Cybersecurity Maturity Model Certification in 2019. (CMMC).
CMMC is a framework based on the lessons learnt from NIST 800-171, the NIST Cybersecurity Framework, FEDRamp, and other security frameworks that will need a third-party review of an organization’s compliance (3PAO). Before permitting a DIB Contractor to receive future government contracts, this procedure will verify that they have satisfied several controls from NIST 800-171 and three additional frameworks.
Due to a series of attacks, the Department of Defense has made protecting controlled unclassified information a top priority. Even for non-federal enterprises, the US government is progressively stressing CUI information integrity.
NIST 800-171 and DFARS
The Defense Federal Acquisition Regulation Supplement (DFARS) is an addition to the Federal Acquisition Regulation (FAR) (the Federal Acquisition Regulations). Essentially, DFARS establishes extra requirements for federal contractors to complete in order to serve as prime contractors or subcontractors for the Department of Defense.
DFARS clause 252.204-7013, Safeguarding Covered Defense Information and Cyber Incident Reporting, addresses cybersecurity and requires businesses to self-certify that they are fully compliant with NIST 800-171.
What exactly is CMMC?
NIST 800-171 is the primary foundation for CMMC, however it also incorporates features from NIST SP 800-53, NAS9933, and CERT RMM V1.2.
Contractors will be forced to undergo an independent assessment from a pre-approved list of organizations once CMMC is implemented to guarantee they have satisfied DOD cybersecurity criteria.
Each contract will include a needed degree of CMMC maturity, and in order to bid, the contractor must have been successfully audited and authorized at that level.