CMMC vs NIST 800-171: What Has Changed

More than a year has passed since the Department of Defense revealed the CMMC framework as the enforcement vehicle for the security controls laid out in NIST SP-800-171. During that time, the certification requirements became clearer, auditors were trained, and DoD contractors began preparing for the sea change that was about to happen.

The CMMC is being taken very seriously by both the DoD and its contractors—and with good reason.

The CMMC is a set of cybersecurity standards for DoD contractors and an enforcement regime for those standards through third-party audits. There are significant differences between CMMC and 800-171, but since CMMC essentially enforces 800-171, there are also many similarities.

How CMMC and 800-171 Are Similar

The CMMC framework isn't revolutionary. In fact, it merely outlines security best practices that any company or organization should already be following. For instance, CMMC Level 1 controls include setting password policies, updating operating systems regularly, and performing periodic system scans.

In that way, CMMC is similar to the NIST SP-800-171 standards, which the DoD rolled out in 2018 to its approximately 300,000 contractors. Both standards outline the controls DoD contractors should implement to protect their data and systems.

Another similarity is that CMMC and 800-171 are derived from FAR or Federal Acquisition Regulations, which document how the federal government purchases things. As you can imagine, the policies outlined in the FAR are comprehensive. They govern how the government procures everything from battleships and spy satellites to toilet paper and everything in between. For that reason, federal agencies supplement the FAR with agency-specific policies.

The DoD flavor of the FAR is called the Defense Federal Acquisition Regulation Supplement, or DFARS, and the document is huge. Buried deep in the DFARS is a section titled "Safeguarding covered defense information and cyber incident reporting" (DFARS 252.204-7012). Among the things covered in that section are "adequate security" for contractors and a series of reporting standards that largely require the contractor to ensure compliance.

From that section, both CMMC and 800-171 were born. First came 800-171, and then came CMMC — and all the ways they differ.

NIST 800-171 Rev 1 & 800-172: Differences

This is a quick aside about 800-171. Changes to this standard also show the differences between 800-171 and CMMC and how DoD prepared the CMMC. NIST SP 800-171 is the root document for the CMMC and has several vital revisions: Revision 1, Revision 2, Revision B, and 800-172.

NIST SP 800-171 Revision 1 was the first comprehensive update of the overall publication. It was released in December 2016.

NIST SP 800-171 Revision 2 superseded Revision 1 in February 2020. This revision was initially released in June 2019 and withdrawn in February 2020.

NIST SP 800-171 Revision B was the latest version of the 800-171 regulations, but it was withdrawn in July 2020 to make way for 800-172. Like Revision 2, Revision B was published in June 2019 and withdrawn in July 2020.

NIST SP 800-172 is the latest draft version of the 800-171 regulations. The DoD is accepting public comments until August 2020.

The revised drafts show the difficulty DoD contractors can experience keeping up with guidance. Each version differs from the original in nuanced ways.

For instance, NIST SP 800-171 Rev 2 provides overall guidelines for all DoD contractors to protect CUI, while NIST SP 800-171 Rev B discusses higher levels of security for information that cannot be compromised.

DoD contractors have been required to abide by DFARS for years, so they had to implement the standards outlined in NIST 800-171. Until recently, NIST requirements were so all-encompassing, complicated, and comprehensive that a substantial number of DoD contractors weren't in full compliance — and untold numbers of subcontractors that supported the prime contract holders didn't even have NIST standards on their radar.

For these reasons, CMMC differs significantly from the 800-171 in essential ways.

How CMMC Differs from NIST 800-171

While the CMMC may be mainly derived from 800-171, they are also very different. The CMMC framework is a significant departure from the NIST SP 800-171 framework in two important ways:

1. Contractors must certify security controls through third-party audits rather than self-certification.

2. Contractors must certify eligibility to bid on or participate in a contract.

The DoD designed CMMC to enforce compliance with NIST SP 800-171.

Adoption rates remained low despite launching the 800-171 standards in 2018. Even when DoD identified an area of non-compliance, remediation plans were extremely lenient under 800-171. In the event of an incident or failure, the contractor would outline a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).

But it wasn't uncommon for a POA&M to stretch out over a year or more. In the meantime, the contractor could continue to execute the contract and access DoD systems on the promise to meet the standards they should have already achieved.

The CMMC Goes Beyond NIST 800-171

DoD contractors have been required to abide by DFARS for years, so they had to implement the standards outlined in NIST 800-171.

While NIST 800-171 and its revisions form the core of cybersecurity standards, it's primarily focused on lower-level protections to safeguard controlled unclassified information. Publications such as NIST SP 800-172, NIST SP 800-53, and regulations like 48 CFR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems" and DFARS Clause 252.204-7012, "Defense Industrial Base Compliance Information" make up most of the higher-level requirements. However, specific CMMC-required controls are referenced from other source documentation.

To oversimplify, the CMMC affirms that a contractor abides by all applicable NIST 800-171 (among other guidance) requirements. Abiding by NIST 800-171 and other relevant publication requirements means that a contractor operates by DFARS regulations, which comply with the FAR. This means that the DoD can do business with the approved contractor.

Understanding the Benefits of the CMMC

One reason for low levels of NIST 800-171 compliance among contractors was the sheer complexity of the requirements. When the DoD required full conformity to NIST 800-171, a document designed to cover virtually all contractor systems, it simply wasn't feasible for most small to mid-size contractors. Many didn't even have the technical capacity to fully understand the requirements or complete a self-assessment, let alone implement them.

Although complex, one of the CMMC's benefits is that it summarizes a tremendously broad array of federal guidelines, requirements, publications, and best practices and arranges them into easily defined CMMC certification levels.

Before implementing the CMMC, NIST 800-171 mapping for specific control mechanisms was tremendously difficult; contractors could implement multiple advanced features and miss several elementary controls that permitted backdoor access to their information systems.

The CMMC provides a basic NIST 800-171 system security plan template so contractors can determine what level of certification they need and the specific controls they must implement to earn it. We've compiled all of these controls and sorted them into what could essentially be called a NIST 800-171 checklist that makes it easy to work through each of the CMMC certification levels.

CMMC Improvements Over NIST 800-171

NIST special publications (such as NIST 800-171 Rev 2 and NIST 800-171 Rev B) are guidance, while CMMC levels confirm that contractors have met that (and other) requirements. However, introducing the CMMC has improved the basic structure of NIST 800-171 in several ways.

First, the CMMC has increased the number of cybersecurity domains. While NIST 800-171 only included 14 domains, the CMMC further subdivides cybersecurity requirements into three additional domains: asset management, recovery, and situational awareness. The CMMC's higher specificity makes it easier for contractors to understand what they must do and why.

Second, NIST 800-171 focuses primarily on controls, practices, and their application. The CMMC specifically evaluates how maturely a company approaches cybersecurity and incorporates those controls into the company's DNA. Emphasizing a company's security maturation dials in on a self-perpetuating culture that will eventually result in a much higher level of information protection than just using a checklist of control mechanisms from NIST 800-171.

At the higher CMMC levels, DoD auditors will specifically look for more advanced cyber threat intelligence, including practices such as threat hunting and intel sharing with other organizations.

Third, the CMMC references more extensive controls than are described in NIST 800-171. Of the 171 total controls required across all five CMMC levels, 46 aren't found in either NIST 800-171 Rev 2 or NIST 800-171 Rev B. These best practices are drawn from expert sources that include the Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework (CSF).

CMMC vs NIST 800-171: What Changed

Quite a bit has changed since contractors were given a blanket requirement to abide by NIST 800-171. The CMMC expands the control mechanisms outlined in NIST 800-171, emphasizes a contracting organization's maturity and culture of information protection, and drastically simplifies the process of certifying a contractor as compliant.

The CMMC doesn't replace either NIST 800-171 Rev 2 or NIST 800-171 Rev B. It merely summarizes and augments them with other cybersecurity resources. Adopting the CMMC is a step forward in information protection for the DoD specifically and the federal government as a whole.