CMMC vs NIST 800-171: What Has Changed

More than a year has passed since the Department of Defense revealed the CMMC framework as the enforcement vehicle for the security controls laid out in NIST SP-800-171. During that time, the certification requirements have become clearer, auditors have been trained, and DoD contractors have begun preparing for the sea change that's about to happen.

The CMMC is being taken very seriously by both sides: the DoD and its contractors — and with good reason.

The CMMC is a set of cybersecurity standards for DoD contractors as well as an enforcement regime for those standards through third-party audits. There are significant differences between CMMC and 800-171, but since CMMC essentially enforces 800-171 there are also many similarities.

How CMMC and 800-171 Are Similar

The CMMC framework isn't revolutionary. In fact, the CMMC merely outlines security best practices that any company or organization should already be following. For instance, CMMC Level 1 controls include things like: setting password policies, updating operating systems regularly, and performing periodic scans of the system.

In that way, CMMC is similar to the NIST SP-800-171 standards, which the DoD rolled out in 2018 to its approximately 300,000 contractors. Both standards outline the controls DoD contractors should implement to protect their data and systems.

Another similarity is that both CMMC and 800-171 are derived from FAR or Federal Acquisition Regulations, which documents how the federal government purchases things. As you can imagine, the policies outlined in the FAR are incredibly broad. They govern how the government procures everything from battleships and spy satellites to toilet paper, and everything in between. For that reason, federal agencies supplement the FAR with agency-specific policies.

The DoD flavor of the FAR is called the Defense Federal Acquisition Regulation Supplement, or DFARS — and the document is huge. Buried deep in the DFARS there's a section titled: "Safeguarding covered defense information and cyber incident reporting" (DFARS 252.204-7012). Among the things covered in that section is "adequate security" for contractors and a series of reporting standards that largely put it on the contractor to ensure compliance.

From that section, both CMMC and 800-171 were born. First came 800-171, and then from it came CMMC — and all the ways they differ.

NIST 800-171 Rev 1 & 800-172: Differences

A quick aside about the 800-171. Changes to this standard also shows the differences between 800-171 and CMMC, and also how DoD prepared the CMMC. NIST SP 800-171 is the root document for the CMMC, and has several important revisions: Revision 1, Revision 2, Revision B, and 800-172.

NIST SP 800-171 Revision 1 was the first comprehensive update of the overall publication. Revision 1 was first released in December 2016. You can read the full document here.

NIST SP 800-171 Revision 2 superseded Revision 1 in February 2020. This revision was initially released in June 2019, withdrawn in February 2020, and is currently being circulated as a draft. You can read the full draft document here.

NIST SP 800-171 Revision B was the latest version of the 800-171 regulations, but it was withdrawn in July 2020 to make way for 800-172. Similar to Revision 2, Revision B was originally published in June 2019 and withdrawn in July of 2020. Read the full draft document here.

NIST SP 800-172 is the latest draft version of the 800-171 regulations. The DoD is accepting public comments until August 2020. Read the full draft document here.

The revised drafts show the difficulty DoD contractors can experience keeping up with guidance. Each version differs from the original in nuanced ways.

For instance, NIST SP 800-171 Rev 2 provides overall guidelines for all DoD contractors to protect CUI, while NIST SP 800-171 Rev B digs into higher levels of security for information that absolutely cannot be compromised.

DoD contractors have been required to abide by DFARS for years, which means they had to implement the standards outlined in NIST 800-171. Until recently, NIST requirements were so all-encompassing, complicated, and comprehensive that a substantial number of DoD contractors weren't in full compliance — and untold numbers of subcontractors that supported the prime contract holders didn't even have NIST standards on their radar.

For these reasons, CMMC also differs greatly from the 800-171 in important ways.

How CMMC Differs from NIST 800-171

While the CMMC may be derived largely from 800-171, they are also very different. The CMMC framework is a significant departure from the NIST SP 800-171 framework in two important ways:

1. Contractors must certify security controls through third-party audits rather than self-certification.

2. Contractors must certify in order to be eligible to bid on or participate in a contract.

Essentially, the DoD designed CMMC to enforce compliance with NIST SP 800-171.

Despite launching the 800-171 standards in 2018, adoption rates remained low. Even when DoD identified an area of non-compliance, remediation plans were extremely lenient under 800-171. In the event of an incident or failure, the contractor would outline a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).

But it wasn't uncommon for a POA&M to stretch out over the course of a year or more. In the meantime, the contractor could continue to execute the contract — and access DoD systems on the promise to meet the standards they should have already achieved.

The CMMC Goes Beyond NIST 800-171

DoD contractors have been required to abide by DFARS for years, which means they had to implement the standards outlined in NIST 800-171.

While NIST 800-171 and its revisions form the core of cybersecurity standards, it's primarily focused on lower level protections to safeguard controlled unclassified information. Publications such as NIST SP 800-172, NIST SP 800-53 and regulations like 48 CFR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems" and DFARS Clause 252.204-7012, "Defense Industrial Base Compliance Information" make up most of the higher-level requirements. However, specific CMMC-required controls are referenced from other source documentation.

To oversimplify, the CMMC affirms that a contractor is abiding by all applicable NIST 800-171 (among other guidance) requirements. Abiding by NIST 800-171 and other relevant publication requirements means that a contractor is operating in accordance with DFARS regulations, which comply with the FAR, and means the DoD can do business with the approved contractor.

Understanding the Benefits of the CMMC

One of the reasons for low levels of NIST 800-171 compliance among contractors was the sheer complexity of the requirements. When the DoD required full conformity to NIST 800-171, a document designed to cover virtually all contractor systems, it simply wasn't feasible for the majority of small to mid-size contractors. Many of them didn't even have the technical capacity to fully understand the requirements or complete a self-assessment, let alone implement them.

Although complex, one of the benefits of the CMMC is that it summarizes a tremendously broad array of federal guidelines, requirements, publications, and best practices — and arranges them into easily-defined CMMC certification levels. Before implementing the CMMC, NIST 800-171 mapping for specific control mechanisms was tremendously difficult; contractors could implement multiple advanced features and miss several elementary controls that permitted backdoor access to their information systems.

The CMMC provides a basic NIST 800-171 system security plan template so contractors can determine what level of certification they need and the specific controls they must put in place to earn it. We've compiled all of these controls and sorted them into what could essentially be called an NIST 800-171 checklist that makes it easy to work through each of the CMMC certification levels.

CMMC Improvements Over NIST 800-171

NIST special publications (such as NIST 800-171 Rev 2 and NIST 800-171 Rev B) are guidance, while CMMC levels are simply a confirmation that contractors have met that (and other) requirements. However, introducing the CMMC has improved the basic structure of NIST 800-171 in several ways.

First, the CMMC has increased the number of cybersecurity domains. While NIST 800-171 only included 14 domains, the CMMC further subdivides cybersecurity requirements into three additional domains: asset management, recovery, and situational awareness. The CMMC's higher specificity makes it easier for contractors to understand what they're required to do and why.

Second, NIST 800-171 focuses primarily on controls, practices, and how they're applied. The CMMC specifically evaluates how maturely a company approaches the realm of cybersecurity and incorporates those controls into the company's DNA. Emphasizing a company's security maturation dials in on a self-perpetuating culture that will eventually result in a much higher level of information protection than just using a checklist of control mechanisms from NIST 800-171. At the higher CMMC levels, DoD auditors will specifically look for more advanced cyber threat intelligence, including practices such as threat hunting and intel sharing with other organizations.

Third, the CMMC references more extensive controls than are described in NIST 800-171. Of the 171 total controls required across all five CMMC levels, 46 aren't found in either NIST 800-171 Rev 2 or NIST 800-171 Rev B. These best practices are drawn from expert sources that include the Center for Internet Security (CIS), the CERT Resilience Management Model (CERT-RMM), and the NIST Cybersecurity Framework (CSF).

CMMC vs NIST 800-171: What Changed

Quite a bit has changed since when contractors were given a blanket requirement to abide by NIST 800-171. The CMMC expands the control mechanisms outlined in NIST 800-171, emphasizes a contracting organization's maturity and culture of information protection, and drastically simplifies how easy it is for a contractor to be certified as compliant.

The CMMC doesn't replace either NIST 800-171 Rev 2 or NIST 800-171 Rev B. It merely summarizes and augments them with other cybersecurity resources. Overall, adopting the CMMC is a step forward in information protection for the DoD specifically and the federal government as a whole.