What is CMMC 2.0 and NIST 800-171?

In response to increasing cyber threats, the US Government added the CMMC framework to the DFARS in 2020 and updated it to CMMC 2.0 in 2021. In 2022, the Securing American Cybersecurity Act (SACA) was introduced.

Starting in 2024, DoD contractors must be compliant with CMMC 2.0 / NIST 800-171r2.  Now their suppliers must be too.

What is CMMC 2.0 compliance?

CMMC 2.0 compliance is an ongoing practice that businesses need to allocate time and resources to.  Compliance is determined by the NIST 800-171r2 Assessment. This assessment audits 14 domains of cybersecurity that encompasses 110 individual controls within the framework. Policies and governance of each control must be clearly documented. Businesses need to curate a adequate body of qualified evidence on an ongoing basis to prove ongoing compliance.

How can I tell if the CMMC 2.0 /NIST 171r2 standard applies to my business?

·      Do you directly hold contracts with the Federal government?

·      Do YOUR customers sell directly to the government?

·      Does your organization receive research funding from the government?

If you said "Yes" to any of the above, you need to be CMMC 2.0 compliant.

What does Compliance mean to my business? 

You must assess your cybersecurity posture annually. CMMC 2.0 requires using the NIST CSF (SP) 800-171r2 Assessment Methodology. Assessment scores must be uploaded to the Supplier Performance Risk System (SPRS).  Failure to do so will disqualify businesses from new or renewed contracts.

Do suppliers need to be CMMC Compliant?

SACA effectively broadens the reach of the Government's risk management by requiring contract holders to exclusively work with CMMC 2.0 / NIST 800-171r2 compliant contractors. Your customers that sell to the government will require proof of compliance in 2024.

Doesn’t my Cybersecurity Provider take care of “all of this?”

Outsourcing your cybersecurity does not make you compliant with CMMC 2.0. Cybersecurity providers offer a valuable service, but they cannot help with your business' policies, governance, and remediation controls as required in the framework. Finally, it's best practice to hire an impartial third party to review your cybersecurity posture and governance requirements. \

What is a NIST 800-171 Assessment?

Businesses are required to rate themselves based on the implementation of each of the 110 NIST 800-171r2 cybersecurity controls. These assessments must be completed on an annual basis for ongoing compliance and reporting. We recommend enlisting the help of a professional whose assessment methodology and standards will be in-line with an auditor. 

How does NIST 800-171r2 Scoring work?

Scores range from 110 for a perfect score to -203.  Points are subtracted for non-implemented controls. No credit is given for partially implemented controls apart from Multifactor Authentication (MFA) and FIPS-validated encryption. The value of each control is based on the level of impact it has. 

What happens if I have a bad NIST score?

Businesses that do not score a perfect 110 are required to submit a formal Plan of Action and Milestones (PoAMs) that detail how the business is taking action to implement each of the missing or unsatisfactory controls. Businesses will need to update PoAMs every year until perfect scores are achieved and maintained.

Who should I talk to?

Talk to a Cyber-AB Registered Practitioner Organization separate from your security operations team to ensure controls are fully implemented and documented within acceptable standards of the NIST 800-171r2 assessment. 

To learn more about your CMMC 2.0 requirements, schedule a consultation with a Security specialist!