The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops technology, metrics and standards to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST provides standards and guidelines for the Federal Information Security Management Act (FISMA), which is a comprehensive framework to protect government information, operations and assets against natural or man-made threats.
In 2015, the U. S. Department of Defense (DoD) published an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) giving government contractors a deadline to implement the requirements of the NIST Special Publication (SP) 800-171. Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI), which includes engineers, tests, and manufactures products directly or indirectly must comply.
The NIST 800-171 standards are based on best practices for a good data security plan, outlined into 14 categories. Maintaining a plan to cover the 14 categories will keep a contractor in good standing. Once that initial base line is achieved, a system can be continuously improved.
- Access Control
- Media Protection
- Awareness and training
- Personnel Security
- Audit and Accountability
- Physical Protection
- Configuration Management
- Risk Assessment
- Identification and Authentication
- Security Assessment
- Incident Response
- Systems and Communications Protection
- System and Information Integrity
DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.
CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
CMMC Level 3 includes the 110 security requirements specified in NIST SP 800-171. The CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
For more information on CMMC, please click the button below.
Security and data protection are ever evolving.
Below, NAMC has provided useful links to assist with NIST SP 800-171 and CMMC compliance.
- National Archives Website discussing CUI Policy
- Executive Order Regarding CUI
- CUI Implementing Regulation
- Charter for the CUI Advisory Council
- Protecting CUI in Nonfederal Systems and Organizations
- Marking CUI Version 1.1
- DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
- NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS
- USD Memo RE: Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
- Under Secretary of Defense for Acquisition, Tech, and Logistics. Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System
- Industry article from "The Business of Federal Technology," "7 Steps for getting right with NIST 800-171" by Izak Bove