Using NIST 800-171 to Prepare for CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) program was first introduced in early 2020 as a way to enhance the cyber defenses of companies that are part of the defense industrial base (DIB) sector. While the goal of CMMC remains the same, its structure has undergone significant changes in the past couple years — mostly notably the replacement of the original model with CMMC 2.0 toward the end of last year.
The Department of Defense (DoD) estimates that CMMC 2.0 won’t be finalized (and thus become a contractual requirement) until sometime between August 2022 and November 2023. However, now is the time to lay the groundwork if you are a DIB contractor or subcontractor that wants to take the most efficient path to certification once it is released.
The best way to prepare is to ensure compliance with NIST 800-171 since CMMC 2.0 is largely influenced by this special publication’s requirements.
Follow the DoD Assessment Methodology for NIST 800-171
If your organization processes Controlled Unclassified Information (CUI) and is currently doing business with the DoD, you are already required to implement NIST 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. Three additional clauses, collectively known as the DFARS Interim Rule, also require you to perform the following actions:
- Perform a cybersecurity self-assessment according to the DoD Assessment Methodology, a scoring system that allows the DoD to assess a contractor’s implementation of NIST 800-171.
- Submit your score and additional information (system security plan name, description of plan architecture, etc.) through the Supplier Performance Risk System (SPRS).
Carefully conducting this self-assessment and performing the necessary remediations will give you a good idea of how you will be assessed for CMMC certification. CMMC 2.0 Level 2, the level most DIB organizations will be required to meet certification, essentially mirrors NIST 800-171.
How Does the Assessment Methodology Work?
The self-assessment, also known as the “Basic Assessment,” is based on a review of your organization’s System Security Plan (SSP) regarding the covered information system(s). Each element of your organization that is covered by a commercial and government entity (CAGE) code must be tied to the SSP, which is a blueprint of your cybersecurity program.
To follow the DoD Assessment Methodology, you will score the self-assessment of your SSP on a 110-point scale (with a 110 being a perfect score, indicating that all 110 controls of NIST 800-171 have been successfully implemented). For each control assessed, a statement must be provided in a Security Assessment Report (SAR), a companion document to your SSP. When the statement is provided per control, it will follow one of the below options:
- If “yes,” a statement must be provided explaining how the requirement has been implemented.
- If “no,” a statement must be provided explaining why the requirement has not been met, as well as creation of a Plan of Action & Milestones (POA&M) that describes how and when the control will be met.
- If “partially,” a statement must be provided explaining why the requirement is partially met, plus an additional statement in the POA&M describing how and when it will be fully met.
- If “does not apply,” a statement must be provided explaining why the requirement does not apply to your environment.
- If “alternative approach,” a statement must be provided describing your alternative approach and why it is equally effective, as well as how you implemented the requirement.
The DoD Assessment Methodology uses weighted scoring rules for controls that are not implemented. Since some controls are worth more than one point, a negative score is possible. Once you have calculated your score, you will report it through the SPRS, a portal and database the DoD uses to monitor supplier and product performance information (PI) assessments.
If your organization is short of the 110 perfect score, you will also submit your POA&M along with the date you forecast it will be fully executed. Note that under CMMC 2.0, the DoD will allow companies to receive contract awards with a POA&M in place. Per the CMMC implementation overview:
“The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.”
For many organizations, this is a significant and welcome change, as the original CMMC program did not allow for POA&Ms.
Study the DoD Assessment Guides for CMMC 2.0
In addition to following DoD Assessment Methodology for NIST 800-171, I highly recommend that you study the official assessment guides for CMMC. Toward the end of last year, the DoD published two comprehensive guides that explain how contractors will have their networks inspected when CMMC is launched and organizations are pursuing certification. These assessment guides are formatted similarly to NIST 800-171A.
- The guide for Level 1 details how to assess against the 17 controls associated with this Foundational level. The requirements for Level 1 are primarily the same as they were under CMMC 1.0, except organizations are now able to self-assess.
- The guide for Level 2 details how to assess against the 110 controls associated with this Advanced level (same controls as NIST 800-171). While most contracts that include Level 2 will require certification from a CMMC Third Party Assessment Organization (C3PAO), the DoD has noted certain programs that “do not involve information critical to national security” will accept self-assessments.
- The guide for Level 3 is still under development. Only organizations working on the DoD’s most sensitive programs will be expected to achieve Level 3 certification.
It would also be wise to examine the scoping guidance documents for Levels 1 and 2 of CMMC 2.0. These reference materials are quite concise and will help your organization identify in-scope assets. Scoping guidance for Level 1 explains that only assets that process, transmit, or store Federal Contact Information are considered in scope (these organizations do not handle CUI). Scoping guidance for Level 2 defines the following four categories of assets as in scope:
- CUI assets which “process, store, or transmit CUI.”
- Security protection assets which “provide security functions or capabilities within the contractor’s CMMC Assessment Scope.” This includes things like consultants, cloud-based security tools, etc. that may not deal with CUI directly but are still used to meet CMMC requirements.
- Contractor risk managed assets which “are capable of, but are not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place.” These assets must be inventoried, documented in the SSP, and included in system diagrams.
- Specialized assets which must also be inventoried, documented in the SSP, and included in system diagrams. These include:
- Government property
- Internet of things (IoT) or industrial internet of things (IIoT) devices
- Operational technology
- Restricted information systems
- Test equipment
Position Your Business for CMMC Success
While it’s true that the CMMC program has been notoriously delayed and it could take up to another year and half to be finalized, don’t let this lull you into a false sense of security that you have plenty of time to get ready for certification. The DIB organizations that are actively striving toward an SPRS score of 110 will be well positioned to bid on contracts (or be contracted by prime contractors) once the program is officially launched. Those that are not putting in the effort to prepare will likely find a long wait for assistance that can hurt their bottom line.
To best position your business for CMMC success, I recommend taking the time now to become NIST 800-171 compliant and your organization have completed 90% of the process to becoming CMMC 2.0 certified upon launch. The benefits to earning NIST 800-171 compliance ahead of CMMC, are as follows:
- Take the time to spread out the resources and cost required rather than undergoing a crash-course to get CMMC ready.
- Avoid going through the assessment process alongside the many other companies that will be scrambling to become CMMC 2.0 certified upon launch.
- There will be a limit number of CMMC C3PAOs available and hundreds of companies that will need to be certified. By earning NIST 800-171, you’ll have completed 90% of the process to becoming CMMC certified, making the assessment much easier and faster.
- If you’re backlogged with the many others trying to complete CMMC, you and your customers will have the peace of mind knowing you are NIST 800-171 compliant.
Looking for CMMC guidance that is custom-tailored to your business? You’re in the right place. As one of the first candidate C3PAOs and a top assessor of federal compliance, A-LIGN can perform a CMMC Readiness Assessment by evaluating your organization’s security policies, procedures, and processes against the controls published in NIST 800-171.