Transitioning Cybersecurity Compliance from NIST 800-171

July 20, 2021

By Jason Connotillo

Are you a National Institute of Standards and Technology (“NIST”) compliant enterprise handling controlled unclassified information? Do you know that the NIST 800-171 requirement is phasing out? The Cybersecurity Maturity Model Certification (“CMMC”) will soon replace existing NIST 800-171 requirements, which means major security compliance changes are forthcoming.

If your enterprise does not have a clear plan for realigning with the CMMC, you risk losing your ability to win and maintain bids on government contracts. This will have serious consequences for the future growth of your enterprise.

How can you become CMMC compliant in as timely a manner as possible? Read on to learn how you can make the adjustments needed to ensure a continued ability to bid on and win government contracts.

What Is NIST 800-171?

NIST is a non-regulatory U.S. government agency that creates standards that certain critical industries must follow. For instance, if you're an enterprise that sells to the Department of Defense (“DoD”) or any of its contractors, you must be NIST 800-171 compliant. And you must self-attest your compliance annually.

NIST compliance is a great starting point for an enterprise looking to be sure of its cybersecurity programs. It offers a framework for an enterprise to organize its approach to security in a strategic, step-by-step way.

NIST Special Publication 800-171 aims to protect controlled unclassified information (“CUI”) outside of federal networks, of which the DoD requires safeguarding. NIST 800-171 has been updated many times since its release in 2015. With new CMMC requirements, though, a much bigger change is on the way.

CMMC Compliance: What You Need to Know

CMMC is the newest cybersecurity framework for enterprises that work with the DoD. A great deal of our economy has moved online over the past year, encouraging the need for stronger cybersecurity. If you store, process, or send CUI, CMMC compliance is mandatory. To be confident your CUI is safe, your enterprise will likely need to achieve at least a Level 2 CMMC certification or above.

While NIST 800-171 uses self-assessment, CMMC establishes a third-party requirement to verify compliance. CMMC maintains five unique levels of compliance for different levels of risk exposure the DoD classifies within its supplier network. Learning more about these levels will help ensure you align with the right one for your enterprise.

CMMC Compliance Levels

  • The five levels of CMMC compliance each has a set of processes and practices:
  • In Level 1, processes must be performed and the enterprise must practice basic cyber hygiene.
  • In Level 2, processes must be documented and the enterprise must practice intermediate cyber hygiene.
  • In Level 3, processes must be managed and the enterprise must practice good cyber hygiene.
  • In Level 4, processes must be reviewed and the enterprise must practice proactive cyber hygiene.
  • In Level 5, processes must be optimized and the enterprise must practice advanced and progressive cyber hygiene.

Each ascending level requires compliance with the levels that come before it. In other words, an enterprise must maintain the standards of Level 2 if it wants to progress to Level 3, and so on. Level 1 concerns federal contract information (“FCI”). Level 2 begins the transition toward protecting CUI. Level 3 develops this protection in earnest. Levels 4 and 5 take additional steps to reduce Advanced Persistent Threats (“APTs”), which are attacks sponsored by nation-states or heinous organizations.

Beginning Your Transition to CMMC

It helps to familiarize yourself with the practices of each level of CMMC certification. Level 3 contains 130 practices, which include, at a minimum, all the security requirements of NIST 800-171. Each level adds to the levels that came before it. In other words, Level 1's 17 practices combine with 55 new practices to reach Level 2's 72 cyber hygiene practices.

If your business is already NIST compliant, a Level 3 CMMC certification may be a reasonable goal for which to aim. This is a much more attainable goal than Levels 4 and 5.

Start Your Certification Assessment

Begin preparing by assessing the 17 practices outlined at Level 1. Level 1 does not ask you to document your practices, but you can get ahead by starting to practice your documentation workflows on Level 1. Then, when it is time to write up all 72 practices in Level 2, you'll have some experience.

To create a roadmap for your enterprise, check out the many online federal resources that compare NIST 800-171 to CMMC. Begin by mapping all NIST 800-171 requirements to the CMMC standards. That approach will ensure the simplest transition possible. If you need to find more detailed information about each practice you've outlined, check out the CMMC model appendix.

Beginning Your Documentation

Begin your CMMC compliance journey by compiling and reviewing your security policies. CMMC itself calls a policy a "high-level expectation for planning and performing." A policy defines the role, procedures, scope, guidelines and purpose of a cybersecurity practice. Senior management should review it before it's approved. By developing a good procedure for documenting the practices at Level 1, you will be well-prepared for the challenges of Level 2. In Level 2 you must document the 55 new practices, as well as the 17 in Level 1.

Level Two Requires an SSP

A system security plan (“SSP”) describes an enterprise’s “information system” and outlines its structure, system components, stakeholders, security requirements and methodology. A guide for filling out the SSP is on the NIST and FedRAMP websites.

Reaching NIST 800-171 Compliance

By making it to Level 3 CMMC compliance, your enterprise will be completely NIST 800-171 compliant. Remember, any enterprise that controls, possesses or creates CUI must maintain Level 3 compliance. There are 58 new practices from Level 2 to Level 3. By now, you should have the skills to document them well. As mentioned, Level 3 compliance is a great goal for which to aim. Its requirements are a lot like the ones in NIST 800-171. Starting with the NIST compliance standard and transitioning to CMMC is less arduous.

Level Three Requires a Managed Plan

Level 3 of CMMC compliance requires managed processes for good cyber hygiene. To be sure your security continues to thrive, your SSP must improve. You’ll need to write about how you plan on maintaining the new security processes over time. These managed plans can be tacked onto pre-existing documentation or created as standalone documents. Either way, they must have a mission statement, a project plan to record resources, activities, timelines and strategic goals that are specific to your enterprise.

APTs and Levels Four and Five

CMMC Levels 4 and 5 are built to protect enterprises from the aforementioned APTs. In Level 4, you'll need to implement 26 new practices. In addition, Level 4 incorporates a review process into the SSP. Now, your managed system of security must have sessions where its successes and failures are examined.

Reviews should be both scheduled (monthly, quarterly, yearly) and event-driven (after certain things happen within your enterprise such as a contract being awarded, a new member of senior management is hired, a new initiative is started, and so forth). Reviews should contain suggestions for improvements, schedules for accomplishing given milestones, and a risk assessment for new activities the enterprises may undertake.

For Level 5, enterprises must optimize their processes, which requires an incredible amount of focus and prolonged work. Thankfully, this not likely to be a requirement for small and medium-sized enterprises.

When Is the Deadline For Compliance?

While CMMC requirements have begun appearing in contracts in 2021, the deadline for CMMC certification is still several years away. Enterprises will not need to certify as CMMC compliant until the rules are phased in, which is expected to take until 2025. This is important because CMMC compliance can be costly, time consuming and challenging. You may want to consider hiring an advisor to assist with the process.

Beginning Your Journey into CMMC Compliance

Though CMMC is replacing NIST 800-171 as the default cybersecurity standard for DoD contractors, the NIST guidelines are still a great place to start. By making sure your enterprise follows pre-existing NIST guidelines, you will be well on your way to clearing Level 3 CMMC compliance and having a straightforward transition to the new DoD requirements.

Upgrading your enterprise security is no easy task, but with thoughtful preparation it is achievable. Remember to document your processes thoroughly, and start with the practices most similar to NIST 800-171.
Hopefully, this article has proven a helpful resource for addressing the safety of your data. Security is one of the most important domains to consider as a DoD contractor. If you have additional questions or concerns, please visit our contact page.

About Jason Connotillo

Jason Connotillo is a Director within EisnerAmper Digital and leads financial, operations and information technology improvement programs.