Everything government contractors Should Know About CMMC and NIST 800-171 Compliance



Are you a contractor for the U.S. government? Have you completed the NIST 800-171 Rev. 2 protocols and CMMC compliance? Did you know even small business cyber-attacks can compromise government security?

Continue reading to get all the details about NIST SP 800-171 Rev. 2 and CMMC. This will ensure that you can continue working with government entities.


What Is NIST 800-171 Rev. 2?

The National Institute of Standards and Technology (NIST) 800-171 became mandatory for US federal agencies in 2017. Revision 2 went into effect in February 2020.

NIST promotes the innovation and industrial competitiveness of US government businesses. It measures business' science, standards, and technology. The goal is to improve economic security and quality of life.


Previous security mandates have only applied to prime contracts. NIST SP 800-171 Rev. 2 also impacts subcontractors. Companies must meet NIST standards if they process, store, or transmit sensitive government data. This applies to contractors who work with the following agencies.

  • Department of Defense (DoD)

  • General Services Administration (GSA)

  • NASA

  • Other federal agencies

There are many changes with the new Cybersecurity Maturity Model Certification (CMMC). Contracting agencies may no longer apt for self-attestation.

The DoD is now implementing the new CMMC framework. This means that companies wishing to be NIST 800-171 compliant must complete CMMC. An independent third-party organization handles the CMMC accreditation.


Controlled Unclassified Information (CUI)

CUI includes all information covered by a law, regulation, or government-wide policy mandating safeguards or dissemination controls. Protecting CUI is the central focus of NIST 800-171 Rev. 2.

CUI held by nonfederal systems or businesses can directly impact the government’s mission readiness. This NIST regulation describes security protocols to protect CUI.

This means that all non-government entities must follow these standards if they:

  • Collect or maintain federal information

  • Use or operate systems for the government

  • Operate with new safeguard requirements for CUI protection

NIST applies to nonfederal businesses that process, store, and/or send CUI. This includes entities that provide protection for these components as well.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) values security. This office works with the Defense Industrial Base sector. Together, they ensure the protection of CUI throughout the supply chain.

The OUSD(A&S) and DoD stakeholders developed the Cybersecurity Maturity Model Certification (CMMC).


Cybersecurity Threats

Today, cyber-attacks threaten the government’s readiness stance. This is why it’s imperative for all agents who handle CUI to maintain secure systems. Examples of how cybercriminals can gain access includes:

  • Emails using phishing strategies

  • Viruses

  • Spyware

  • Malware

  • Rootkits

  • Trojans

Ransomware represents a significant issue for cybersecurity professionals. The attack begins with the hacker gaining access to the computer and/or network. They encrypt the victim’s files and deny access to the system.

These cybercriminals have now taken their ransomware to new levels. Once they encrypt the files, they now make copies.

The victim then receives a demand for payment to unlock the system. Next, the criminals demand more money to not publishing copies of the victim’s data. It’s easy to see how this can create a significant security concern for the government.