The U.S. Department of Defense (DoD) is facing increasingly complex cybersecurity threats that threaten not only the defense industrial base (DIB) but also the security of the entire nation, as well as its allies and partners. To enhance its cybersecurity posture, the DoD migrated away from NIST 800.171 to a new set of cybersecurity standards. It’s called the Cybersecurity Maturity Model Certification (CMMC).
At first glance, CMMC might appear to be an updated version of the NIST SP 800-171 standards. Like CMMC, NIST aimed to enhance the cybersecurity posture of the Defense Industrial Base (DIB) and its approximately 300,000 contractors. Although CMMC 2.0 has since replaced it, understanding the foundational aspects of CMMC 1.0 remains valuable.
This article delves into:
- What NIST and CMMC are.
- How the two differ.
- Insights into how CMMC began.
What Is NIST 800.171?
Since January 1, 2018, DoD contractors have been required to comply with the NIST 800.171 standards to protect Controlled Unclassified Information (CUI).
The National Archives and Records Administration (NARA) defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
After the implementation of NIST, the compliance rate across the DIB remained very low. In fact, less than 1% of contractors adopted all 110 requirements recommended in the NIST 800.171 to ensure the confidentiality of CUI.
To address this issue, the Office of the Undersecretary of Defense for Acquisition and Sustainment took it upon itself to come up with a more flexible alternative to the NIST 800.171. One that would move away from the one-size-fits-all approach and ensure that all DoD contractors possess the necessary cybersecurity defenses to protect CUI.
What is CMMC?
The first version of the Cybersecurity Maturity Model Certification, CMMC Model version 1.0, was released by the DoD on January 31, 2020. It brought together many older cybersecurity requirements and introduced a verification mechanism to fix the systemic issue of non-compliance.
Despite being derived largely from the NIST 800.171 standards, CMMC 1.0 differed from them in several key areas:
- Contractors were required to become certified by a third-party assessor, the so-called Certified 3rd Party Assessment Organization (C3PAO), to one of the five levels. While contractors were encouraged to complete a self-assessment before scheduling a CMMC certification, they couldn’t self-certify.
- Instead of requiring all DoD contractors to implement the same cybersecurity defenses, CMMC 1.0 defined five certification levels, allowing each contractor to decide which level they wanted to certify to. The five certification levels were cumulative. So, any contractor who achieved compliance with, let’s say, Level 3 automatically complied with Level 2 and Level 1, as well.
Overview of the Five CMMC 1.0 Levels
- CMMC Level 1: Focused on basic cybersecurity requirements, such as the use of strong passwords. This level covered approximately 15% of the NIST 800.171 CUI controls. Most DoD contractors were able to certify to this level without any issues.
- CMMC Level 2: This level covered more than half of the NIST 800.171 CUI controls. It was described as a transition step toward Level 3.
- CMMC Level 3: Covered all 110 NIST 800.171 CUI controls. Contractors certifying to this level had to be able to demonstrate good cyber hygiene.
- CMMC Level 4: This is where cybersecurity practices shifted from passive to proactive in order to address the danger represented by advanced persistent threats (APTs).
- CMMC Level 5: The highest CMMC 1.0 level included highly advanced cybersecurity practices and cybersecurity standards that only select contractors were expected to meet.
CMMC 2.0 Support
Today, contractors only have three CMMC levels to worry about. Most won’t need to go beyond CMMC Level 2 for their cybersecurity requirements. That’s good news because it’s possible to achieve compliance with it without employing a full-time security person.
Instead, contractors can partner with a managed service provider (MSP) to implement the necessary cybersecurity defenses that meet regulatory requirements and protect Controlled Unclassified Information (CUI) from unintended disclosure. By leveraging an MSP, contractors can cost-effectively ensure robust security measures are in place while focusing on their core business operations.
Contact Teal for more information on how we can help you with your Cybersecurity Maturity Model Certification.
