Are NIST and CMMC the Same Thing?

If your organization works with our armed forces in any way, a significant cybersecurity policy change is already in the pipeline.

The Department of Defense (DoD) is rolling out Cybersecurity Maturity Model Certification version 2.0, commonly referred to as CMMC. The new standards will impose vastly different compliance mandates than previous cybersecurity approaches, including those set under National Institute of Standards and Technology guidelines known as NIST 800-171.

To say NIST CMMC confusion exists across the military defense landscape would be something of an understatement. That’s largely because CMMC builds on much of the NIST framework that pervaded the cybersecurity mandates of the military industrial base and supply chain. It’s essential for organizations that enjoy the profit-driving rewards of defense contracts to understand and know the key NIST/CMMC differences. Updating your cyber hygiene to meet the approaching CMMC 2.0 mandate will eliminate the possibility of getting sidelined and losing contracts to competitors.

What is NIST 800-171?

The NIST 800-171 regulations are a codified requirement designed to ensure non-governmental systems follow stringent cybersecurity protocols to protect specific sensitive data. The most notable type is Controlled Unclassified Information (CUI), which organizations may process, store or transmit.

The initial NIST framework was rolled out in 2014 when Congress passed the Cybersecurity Enhancement Act. Since then, it has been expanded and updated in an effort to keep pace with emerging digital national security threats, e.g., nation-state hackers. Although a major step forward in developing a cohesive strategy to prevent rogue nations from learning American military secrets, it was not necessarily applied evenly.

One of the primary shortcomings of NIST involved allowing self-assessments. Organizations handling CUI, and even more sensitive data, were allowed to self-audit their networks and cybersecurity posture. Investigations into hacks uncovered the fact that companies had not maintained the cyber resilience outlined in the NIST protocols. Leveling fines and suspending violators after the fact could not cure the issue that advanced persistent threats were pilfering off critical information.

What is CMMC?

During the previous White House administration, former South Carolina Congresswoman Katie Arrington spearheaded the initial CMMC initiative. Serving as the Chief Information Security Officer for the Undersecretary of Defense for Acquisition and Sustainment at the DoD, Arrington stumped for the change in order to bring DoD contractors under a single set of regulations, or one umbrella, so to speak. During her time in the DoD, she indicated that too many contractors within the military supply chain were unprepared to repel foreign hackers.

“We need to level-set because a good portion of our defense industrial base doesn’t have robust cyber hygiene,” Arrington reportedly said. “Only 1 percent of DIB (Defense Industrial Base) companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale, where the vast majority of DIB partners can defend themselves from nation-state attacks.”

A change in the administration prompted a review of the CMMC regulations. The current administration decided to whittle down five CMMC levels to three. Now called CMMC 2.0, the mandate includes the following.

• Level 1: This “Foundational” level tasks organizations with developing and maintaining basic cyber hygiene. Level 1 typically applies to contractors and subcontractors handling Federal Contract Information (FCI). Some small businesses may be able to “self-assess” based on DoD guidelines and then report the findings. Although an audit conducted by an accredited CMMC Third Party Assessment Organization (C3PAO) may not be required, it’s crucial to enlist the help of a cybersecurity specialist to ensure compliance.
• Level 2: Wide-reaching companies that store, transmit or process CUI will need to document their cyber resiliency and CMMC 2.0 compliance scores. Considered “intermediate” cyber hygiene, Level 2 calls for implementing more than 100 NIST controls. Direct DoD contractors, as well as many subcontractors, need to have a CMMC audit conducted to gain certification.
• Level 3: Considered “expert-level” cybersecurity, the mandates are complicated and typically call for a CMMC expert firm to implement. Along with demonstrating a hardened attack surface and a culture of cybersecurity awareness, organizations are expected to have a steadfast written policy in place. Level 3 cybersecurity measures are designed to repel and respond to the most determined advanced persistent threats, bar none.

It’s important to understand that CMMC and version 2.0 are logical solutions to cybersecurity failures by defense contractors and peripheral organizations. A study supporting Arrington’s impassioned speeches noted that 9 out of 10 contractors did not achieve minimum cybersecurity thresholds. And only 13 percent of those polled posted a score of 70 percent or higher on their Supplier Performance Risk System assessment, leaving the U.S. vulnerable.

CMMC vs NIST 800-171: What are the Key Differences?

Without taking a deep dive into the intricacies of cybersecurity policies and cumbersome technical jargon, perhaps the best way to articulate the CMMC vs NIST 800-171 differences involves the word “maturity.” The CMMC 2.0 format is a type of progression. Organizations must implement basic cyber hygiene before moving on to the next level. In essence, the company’s cybersecurity bandwidth grows and matures into a defensive force.

Another CMMC vs. NIST 800-171 difference involves documented compliance and certification. Under the mish-mosh of NIST regulations, companies that performed self-assessments were not always asked to supply proof. Under the CMMC 2.0 model, self-assessments must be conducted within strict guidelines and scores transparently reported to a DoD database. This facet removes the gray area, and lack of cyber hygiene consistency, that allowed America’s adversary to piece together national security initiatives.

Lastly, CMMC Levels 2-3 usually call for an impartial third-party firm to evaluate and rate cybersecurity compliance.  A government-certified C3PAO can either be brought in to conduct a CMMC audit or prepare you in advance. Managed IT and expert C3PAO firms are not here to proctor a cyber resilience exam. The best firms work diligently with military contractors, researchers and suppliers, to develop a secure defense system and achieve CMMC compliance together.

The process usually involves determining the type of sensitive information your organization handles, knowing which CMMC level applies, identifying your system’s strengths and weaknesses and then closing any gaps. The goal is to help your operation mature its cybersecurity compliance score much higher than 70 on the DoD rating system.

Contact Red River to Start the CMMC Audit Process

The cybersecurity experts at Red River help businesses in the military industrial base meet the CMMC requirements. If you are concerned about CMMC deadlines or need clarification on your current cybersecurity defenses, call us today or fill out our online contact form. Let’s get the process started!