703-345-5833 info@rimstorm.com

What is the difference between NIST 800-171 and CMMC Level 3?

If you are a federal contractor who works – or hopes to work – with the U.S. Department of Defense (DOD), you likely fall under specific (and arduous) federal standards for cybersecurity practice maturity.

Any defense contractor who creates or has access to Controlled Unclassified Information (CUI) must comply with all applicable cybersecurity standards of the NIST (National Institute of Standards and Technology), FAR (Federal Acquisition Regulation), and DFARS (Defense Federal Acquisition Regulation Supplement) frameworks.

Although these standards frameworks are not new – and federal contractors have been obligated to comply with these standards all along – the DOD has implemented new protocols for measuring and evaluating contractors’ cybersecurity capabilities and readiness. These protocols are incorporated into the newly launched Cybersecurity Maturity Model Certification program CMMC).

To help defense contractors understand the CMMC program and its requirements, a deeper examination of how CMMC relates to NIST 800-171 standards.

Understanding NIST 800-171 Standards

NIST 800-171 refers to the National Institute of Standards and Technology’s published guidelines for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”

These standards were developed to help protect CUI while that data is being created, stored, processed or transmitted by non-federal organizations. NIST 800-171 contains 110 discrete controls standards for CUI as well as 63 controls that pertain to non-federal organizations (NFOs).

From NIST 800-17, the 110 CUI controls are incorporated into the CMMC standards.

Understanding CMMC Standards

In addition to the 110 NIST 800-17 CUI controls, CMMC requirements also incorporate various other federal cybersecurity standards.

Specifically, 15 FAR standards apply to all levels of CMMC compliance (although, under CMMC, those 15 standards have been reconfigured as 17 requirements). Level 1 CMMC certification requires compliance for only these 17 requirements. Level 2 certification has 72 requirements, incorporating 48 NIST 800-17 controls and 7 new requirements that were not previously mandatory to the 17 requirements of Level 1.

If you require Level 3 CMMC certification – as most DOD contractors do—you will have even more requirements with which to comply.

CMMC Level 3 Compliance & Certification

In addition to the 72 requirements for CMMC Level 2, you will have 58 more requirements, for a total of 130. The extra 58 requirements for Level 3 include 20 new requirements and all 110 of the NIST 800-17 standards.

As you can see, these requirements are as potentially onerous as they are confusing. Nevertheless, by 2025, all federal defense contractors must obtain formal CMMC Level 3 certification if they want to be eligible for government contracts that involve CUI.

To add to the already high level of confusion, achieving certified CMMC compliance does not automatically ensure your NIST 800-171 standards compliance (and vice versa.) Your firm must be fully compliant with both sets of standards. The bottom line is that, even though obtaining formal CMMC certification is now a time-critical necessity, you must ensure that you can also demonstrate NIST 800-171 compliance.

GovCon Enclave from Rimstorm provides a simple, affordable solution to obtaining and maintaining compliance with both sets of standards. As one of the few accredited CMMC Third-Party Assessor Organizations (C3PAOs) in the U.S., our experienced team of cybersecurity experts can get you on the road to your CMMC Level 3 certification – quickly and affordably.

Contact us now to learn more about NIST 800-171 vs. CMMC, and how these standards can affect your federal contracting firm.