Cybersecurity

NIST 800-171

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics and standards to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST provides standards and guidelines for the Federal Information Security Management Act (FISMA), which is a comprehensive framework to protect government information, operations and assets against natural or man-made threats.

In 2015, the U. S. Department of Defense (DoD) published an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) giving government contractors a deadline to implement the requirements of the NIST Special Publication (SP) 800-171. Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI), which includes engineers, tests, and manufactures products directly or indirectly must comply.

The NIST 800-171 standards are based on best practices for a good data security plan, outlined into 14 categories. Maintaining a plan to cover the 14 categories will keep a contractor in good standing. Once that initial base line is achieved, a system can be continuously improved.

Access Control
Media Protection
Awareness and training
Personnel Security
Audit and Accountability
Physical Protection
Configuration Management
Risk Assessment
Identification and Authentication
Security Assessment
Incident Response
Systems and Communications Protection
Maintenance
System and Information Integrity

CMMC

DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.

CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

For more information on CMMC, please click the button below.

OSD CMMC Website

Security and data protection are ever evolving.

Below, NAMC has provided useful links to assist with NIST SP 800-171 and CMMC compliance.