CMMC vs NIST 800-171

By John Gates

April 5th, 2024

January 2020 is when the Department of Defense (DoD) released the Cyber Maturity Model Certification (CMMC) framework, aimed at evaluating and strengthening the cybersecurity readiness of the Defense Industrial Base (DIB). As per the DoD’s directive, all prime contractors and subcontractors within the supply chain must undergo auditing and certification under the CMMC framework. This necessitates specific adaptations by the companies within the supply chain, yet serves to fortify the DoD against potential cyber threats, thereby mitigating future losses resulting from breaches.

The National Institute of Standards and Technology (NIST) created the NIST Special Publication 800-171 (NIST 800-171). NIST is a non-regulatory agency of the United States Department of Commerce that develops and issues guidelines, standards, and best practices to enhance the security and resilience of information systems and infrastructure across various sectors. NIST 800-171 specifically focuses on safeguarding Controlled Unclassified Information (CUI) in non-federal systems and organizations.

CMMC Model Structure

CMMC underwent a significant change from its original version of 5 levels to 3 levels in November 2021. CMMC 2.0 is a revised program framework and criteria aimed at fulfilling the core objectives of the internal review:

Safeguarding sensitive information to empower and safeguard the warfighter.
Enforcing cybersecurity standards within the Defense Industrial Base (DIB) to address evolving threats.
Ensuring accountability while reducing obstacles to compliance with Department of Defense (DoD) regulations.
Fostering a cooperative environment of cybersecurity and cyber resilience.
Upholding public trust through adherence to high professional and ethical standards.

The major adjustments to the original CMMC Model include:

Revising the Levels, reducing Level 5 to Level 3. Level 1 remained unchanged, while the new Level 2 aligned with the former Level 3, and the new Level 3 mirrored the previous Level 5.
Eliminating the prohibition on Plans of Action and Milestones (POAMs) for Level 1 and certain Level 2 requirements.
Transforming Level 1 into a self-attestation process for contractor organizations, replacing the initial mandate of third-party assessment by designated assessment entities.
Adapting the less critical controls in Level 2 to also be self-attested by contractor organizations.

CMMC vs NIST 800-171

The primary distinction between CMMC vs NIST 800-171 lies in their respective roles: NIST 800-171 serves is a set of guidelines established by the National Institute of Standards and Technology (NIST) to help businesses protect their systems and data, whereas CMMC (Cybersecurity Maturity Model Certification) is a certification program developed by the DoD that improves cybersecurity for contractors and outlines the pathway to achieving compliance with NIST.

3 CMMC Levels

Level 1:

Foundational Cyber Hygiene Standard: At this level, organizations must establish fundamental cybersecurity measures commonly adopted by businesses. To attain Level 1 status, companies are required to enforce 17 controls outlined in NIST SP 800-171 Rev2.

Level 2:

Advanced Cyber Hygiene Standard: This level necessitates the implementation of all 110 controls specified in NIST SP 800-171 Rev2 to attain certification at Level 2.

Level 3:

Expert Practice: At this stage, companies must demonstrate the execution, evaluation, and maintenance of advanced cybersecurity procedures across their operations. In addition to implementing all controls from NIST 800-171, organizations are required to incorporate an additional subset of controls from NIST 800-172.

Which level of CMMC is most closely aligned with NIST 800-171?

CMMC Level 2 closely aligns with NIST 800-171 because it incorporates its foundational security requirements while adding further measures to enhance cybersecurity maturity, making it a logical progression for organizations seeking to meet both standards.

CMMC Level 2 also builds upon the foundational security requirements outlined in NIST 800-171. NIST 800-171 provides a set of security controls and guidelines aimed at protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. CMMC Level 2, on the other hand, requires implementing practices from NIST 800-171 and adds additional security measures to enhance cybersecurity maturity.

Summit 7 provides a very informative video about NIST SP 800-171 Updates:

CMMC Level 2 encompasses practices that directly correspond to the security controls specified in NIST 800-171. These practices include measures related to access control, awareness and training, incident response, configuration management, and other aspects of cybersecurity outlined in NIST 800-171. Therefore, achieving compliance with CMMC Level 2 essentially means adhering to the requirements of NIST 800-171 while also demonstrating a certain level of maturity in implementing these controls.

DFARS & NIST 800-171

DFARS along with NIST 800-171 are essential compliance standards for most government contracts. To meet DFARS requirements, it’s necessary to adhere to all 110 controls outlined in NIST 800-171. While DFARS doesn’t cover CMMC, a new clause is in progress specifically for this purpose.

CMMC Implementation Timeline

The Department of Defense (DoD) is still working on when exactly they’ll start using CMMC 2.0 in their contracts, but they’ve given some guidance. It’s expected to start appearing in contracts by the end of 2024 or early 2025. The DoD has already begun including CMMC requirements in some contract evaluations, like requests for information (RFIs) and proposals (RFPs). This means that meeting CMMC standards is now part of what the DoD looks at when deciding who gets certain contracts.

Contractors who do not meet applicable CMMC requirements could miss out on the opportunity to compete for new contracts or could have their existing DoD contracts end after option periods are not exercised.

In terms of CMMC compliance, CalCom Hardening Suite (CHS) primary function is to decrease operational expenses while mitigating the risk of production interruptions by directly showcasing the impact of security baseline adjustments on the production environment. CHS eliminates the necessity of testing changes in a lab environment prior to their implementation in production.

Key Advantages:

Implement security policies seamlessly without disrupting the production environment.
Decrease expenses and resource allocation necessary for secure configuration implementation and compliance posture.
Oversee the entire infrastructure hardening process through a centralized control point.
Prevent configuration drifts and the need for recurrent hardening procedures.

If you're interested in learning how to be more competitive and not miss out on a DoD contact, Get in Touch.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

CMMC vs NIST 800-171

CMMC Model Structure

CMMC vs NIST 800-171

3 CMMC Levels

Level 1:

Level 2:

Level 3:

Which level of CMMC is most closely aligned with NIST 800-171?

DFARS & NIST 800-171

CMMC Implementation Timeline

Subscribe to Email Updates

You might be interested

Experience a personalized demo

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 14 hours	No description
drift_campaign_refresh	30 minutes	No description
fpestid	1 year	No description
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.