By: Cory Larson
CMMC, NIST 800-171, & DFARs
Greetings! This is Cory Larson, and I am an Automation & Cybersecurity consultant at WMEP. I wanted to write a quick clarification on DoD Contracts, NIST 800-171, and CMMC. There is a lot of confusion surrounding this topic and I thought I would answer some of the most common questions.
What regulations do I need to follow?
Well, that depends…Do you have a DFARs clause in your contract? Are you handling Controlled Unclassified Information (CUI), ITAR, FCI? If so, you need to follow the NIST 800-171 standard.
Wait, don’t I need to be in compliance with CMMC?
CMMC is a new compliance framework that is coming; however, it will only be included in 15 contracts in 2021, and those will be provisional assessments. It is highly unlikely that you would need CMMC compliance and be unaware of it.
CMMC compliance will continue to be included in more contracts over the next 5 years and be included in all DoD contracts by Fiscal Year 2026.
What is CMMC and how is it different than NIST 800-171?
CMMC is the Cybersecurity Maturity Model Certification. CMMC incorporates controls from the NIST 800-171 standard and has some additional controls added to it. One large difference between the two frameworks, is the certification method. You can self-attest to the NIST 800-171 standard. CMMC compliance requires an audit performed by a CMMC Certified 3rd Party Assessor.
How do I get in compliance?
The NIST 800-171 requires that you have a System Security Plan (SSP), Plan of Action & Milestones (POAM), and submitted a score to the Supplier Performance Risk System (SPRS). Achieving NIST 800-171 will help in the future to achieve CMMC compliance since many of the controls are present in both certification frameworks.
If you have more questions, seek more clarity or would like help getting compliance, contact me today for a free, no obligation, initial consultation.