Page 188 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 188
with robust defenses against cyber threats. Once CMMC 2.0 is formally published and released it will
serve as the mandated framework for private contractors seeking government contracts.
What sets CMMC apart is its comprehensive approach, transcending mere regulatory compliance. It
incorporates not only NIST SP 800-171, NIST SP 800-172, and CSF (Cyber security framework) but also
integrates industry-leading practices. CMMC facilitates the assessment of a business's cybersecurity
program, ensuring the effective implementation of critical controls while safeguarding the integrity of the
supply chain.
CMMC 2.0 compliance certification includes three distinct levels:
• Level 1 is Foundational. Designed for companies handling Federal Contract Information (FCI) but
do not handle Controlled Unclassified Information (CUI).
• Level 2 is Advanced. This level is for any company that stores, processes, or transmits CUI,
whether it is in electronic or paper form. Basically, the same as NIST SP 800-171 requirements.
• Level 3 is Expert. This level includes highly advanced cybersecurity practices.
When it appears in government-awarded contracts in the future, it will be referred to as DFARS 242.204-
7021.
What is NIST SP 800-171?
NIST SP 800-171 is short for National Institute of Standards and Technology Special Publication 800-
171.
Complying with NIST 800-171 is a requirement for all DoD primes, contractors, or anyone in their
downstream supply chain of service providers. Not complying with NIST 800-171 doesn’t just mean
you’re practicing poor cybersecurity methods; it also means you’re not keeping up with your competitors.
Some of your customers may have already asked whether or not you are compliant, and if they haven’t
– they will.
NIST 800-171, which outlines security standards for non-federal organizations that transmit, process, or
store CUI as part of their working relationships with federal agencies. It also outlines five core
cybersecurity areas; identify, protect, detect, respond, and recover. These core areas serve as a
framework for developing an information security program that protects CUI and mitigates cyber risks.
NIST 800-171 consists of 110 separate security controls corresponding to 14 different control families.
Within the 110 security controls, there are 320 control or assessment objectives that must be met to be
considered compliant. NIST 800-171 is a contractual requirement to protect and safeguard CUI for the
DoD, the General Services Administration (GSA), and/or the National Aeronautics and Space
Administration (NASA).
Your score for the NIST 800-171 Self-Assessment is based on a 110-point scale. Each of the 110 controls
is assigned a weighted subtractor value of either 1, 3, or 5 points. If you’ve implemented a control, you
get that number of points. If not, those points are subtracted from the 110 points. Your score can range
188