March 30, 2021
NIST 800-171 has been making the rounds once again in IT news lately, largely thanks to the scoring system based entirely on NIST guidelines as outlined by a new DFARS rule. It’s important to note, however, that CMMC compliance will soon be just as important. If you work with CUI, you will soon need to achieve Cybersecurity Maturity Model Certification (CMMC) Level 3 as well as that all-important NIST score of 110. If that sounds like a tall order, that’s because it is. But the good news is, there’s a lot of overlap. Even better news is that we can help.
What does CMMC have to do with NIST?
Essentially, CMMC can be seen as an extension of NIST 800-171. This cybersecurity certification is built upon NIST 800-171 and seeks to make sure the appropriate levels of security are in place to help protect networks connected to the Department of Defense. As we’ve stated before, if you plan on working for the DOD with CUI — even as a contractor at any point in the supply chain — being NIST 800-171 compliant is currently a requirement.
One of the key differences is that, in the original NIST framework, organizations could self-attest that they are compliant, without needing any certification or actual proof. As a result, actual compliance was found to be lacking overall. So soon, assessment will be required by an accredited third party in order to determine true cybersecurity “maturity” – hence the birth of CMMC. Fortunately, Rimstorm is now such a third party.
Is CMMC compliance the same as NIST compliance?
In short, no. Passing a CMMC assessment does not necessarily mean that you are compliant with NIST 800-171. CMMC primarily focuses on Controlled Unclassified Information (CUI) controls, whereas NIST 800-171 also includes Non-Federal Organization (NFO) controls. If this sounds confusing, you’re not alone in thinking so. The long and short of it is that you need to look closely at both standards — which can be understandably frustrating. In these precarious times, however, it’s imperative that you do. We’re here to make it a lot less frustrating for you.
Do we really need both CMMC and NIST?
As far as the Department of Defense is concerned, yes. For DoD contractors working with CUI, NIST 800-171 compliance is mandatory. Soon, though, without a valid CMMC certification, a contractor can expect to be fully barred from winning and participating in a contract. And this in turn will have a trickle-down effect that will impact third-party associations, as well. Everyone dealing with CUI — including small organizations such as IT support and bookkeepers — will be affected. Anyone who has anything to do with your supply chain, such as component manufacturers, are hit with this. So yes, it’s an extremely big deal, not just for you, but for everyone involved with you. The DoD will be scrutinizing your NIST score just as heavily.
All of this may seem like overkill, but when you consider everything that’s taken place just a few months ago, it truly isn’t. Everyone must do their part to keep Americans safe from threat actors both at home and abroad. This responsibility falls on the shoulders of CEOs and employees alike.
In light of this, however, you’re certainly not expected to go it alone — and that’s the whole point. We’re all in this together, and Rimstorm is here to help you shoulder these responsibilities.