Everything government contractors Should Know About CMMC and NIST 800-171 Compliance



Are you a contractor for the U.S. government? Have you completed the NIST 800-171 Rev. 2 protocols and CMMC compliance? Did you know even small business cyber-attacks can compromise government security?

Continue reading to get all the details about NIST SP 800-171 Rev. 2 and CMMC. This will ensure that you can continue working with government entities.


What Is NIST 800-171 Rev. 2?

The National Institute of Standards and Technology (NIST) 800-171 became mandatory for US federal agencies in 2017. Revision 2 went into effect in February 2020.

NIST promotes the innovation and industrial competitiveness of US government businesses. It measures business' science, standards, and technology. The goal is to improve economic security and quality of life.


Previous security mandates have only applied to prime contracts. NIST SP 800-171 Rev. 2 also impacts subcontractors. Companies must meet NIST standards if they process, store, or transmit sensitive government data. This applies to contractors who work with the following agencies.

  • Department of Defense (DoD)

  • General Services Administration (GSA)

  • NASA

  • Other federal agencies

There are many changes with the new Cybersecurity Maturity Model Certification (CMMC). Contracting agencies may no longer apt for self-attestation.

The DoD is now implementing the new CMMC framework. This means that companies wishing to be NIST 800-171 compliant must complete CMMC. An independent third-party organization handles the CMMC accreditation.


Controlled Unclassified Information (CUI)

CUI includes all information covered by a law, regulation, or government-wide policy mandating safeguards or dissemination controls. Protecting CUI is the central focus of NIST 800-171 Rev. 2.

CUI held by nonfederal systems or businesses can directly impact the government’s mission readiness. This NIST regulation describes security protocols to protect CUI.

This means that all non-government entities must follow these standards if they:

  • Collect or maintain federal information

  • Use or operate systems for the government

  • Operate with new safeguard requirements for CUI protection

NIST applies to nonfederal businesses that process, store, and/or send CUI. This includes entities that provide protection for these components as well.

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) values security. This office works with the Defense Industrial Base sector. Together, they ensure the protection of CUI throughout the supply chain.

The OUSD(A&S) and DoD stakeholders developed the Cybersecurity Maturity Model Certification (CMMC).


Cybersecurity Threats

Today, cyber-attacks threaten the government’s readiness stance. This is why it’s imperative for all agents who handle CUI to maintain secure systems. Examples of how cybercriminals can gain access includes:

  • Emails using phishing strategies

  • Viruses

  • Spyware

  • Malware

  • Rootkits

  • Trojans

Ransomware represents a significant issue for cybersecurity professionals. The attack begins with the hacker gaining access to the computer and/or network. They encrypt the victim’s files and deny access to the system.

These cybercriminals have now taken their ransomware to new levels. Once they encrypt the files, they now make copies.

The victim then receives a demand for payment to unlock the system. Next, the criminals demand more money to not publishing copies of the victim’s data. It’s easy to see how this can create a significant security concern for the government.


NIST SP 800-171 Rev. 2 Requirements

All government contractors and businesses should know the difference between NIST requirements and CMMC. Completing the CMMC process doesn’t imply NIST compliance.

The NIST 800-171 Rev. 2 protocols mandate that businesses meet one of the five cybersecurity tiers for CMMC. These five levels include 14 NIST regulatory categories that include:

  • Controlled access

  • Employee awareness education

  • Audit and accountability measures

  • Strict identification and authentication protocols

  • Policies for incident response

  • Policies and procedures for maintenance

  • Policies and procedures for medial protection

  • Protocols addressing personnel security

  • Protocols for physical protection of assets

  • Schedule for security assessments

  • Protocols to protect systems and communications

  • Protocols ensuring system and information integrity

The mandated rigor for company adherence depends on the sensitivity of the CUI involved. This also determines which of the 5 tiers of the CMMC the business must meet.


Understanding the CMMC

The CMMC represents a conglomeration of the best cybersecurity standards and practices. The five levels range from basic cybersecurity hygiene to 24/7 proactive oversight. These measures serve to decrease the risk of cyber threats.

These levels work to create a cost-effective system for businesses to put in place. If you are a small company with low risk, you may only need a tier 1 certification. An independent, certified third party conducts the audits and determines the risk level.

The following describes the 5 levels o the CMMC.


Level 1

This requires a business to perform “basic cyber hygiene” practices. This includes using antivirus software and mandating regular changes for employee passwords. Protocols must be in place to protect Federal Contract Information (FIC).

FIC describes government data used by contractors to develop and deliver products or services. Companies must not allow the release of this data to the public.


Level 2

At this level, contractors must document and implement “intermediate cyber hygiene” practices. At this tier, security protocols must protect CUI according to the NIST SP 800-171 Rev. 2. This level does not involve certain classified information.


Level 3

“Good cyber hygiene” is required for this tier. The company must enhance practices to safeguard CUI. This includes all NIST SP 800-171 Rev. 2 mandates for the previous tiers. It also requires additional protective standards.


Level 4

All previous NIST SP 800-171 standards must be in place as well as further protocols. These enhanced measures serve to detect and respond to advanced persistent threats (APTs). Companies must show strategies for changing tactics, procedures, and techniques used by APTs.

The term APT describes sophisticated, expert adversaries who possess significant resources. This allows them to create opportunities to infiltrate systems. They are then able to execute their cyber-attacks from different vectors.


Level 5

This level requires the most sophisticated capability to recognize and react to APTs. Standards and processes must be optimized throughout the company.


Achieving NIST and CMMC Compliance

Does your company work with government entities? For businesses, meeting the NIST 800-171 regulations and CMMC protocols can be overwhelming.

C-Edge has provided compliance and risk management services to the DOD for over 15 years. We work with operational management, system design, system maintenance, and system acquisition.

Contact us today and let us help you complete your NIST and CMMC compliance assessment.


10 views
CEdge_logo_white_RGB_large.png