NIST 800-171 and CMMC 2.0
Network Titan CMMC Implementation Services NIST SP 800-171r2 CMMC 2.0. The CMMC Final Rule has been published. We remove the CMMC guesswork for DoD contractors in San Diego, so your company meets the over 100 mandated requirements in 14 different key areas of the Special Publication NIST SP 800-171 Revision 2 to meet CMMC 2.0 certification levels. Compliance in some form will be necessary to conduct business with the federal government directly when stipulated in your contract or award. With the increased threat and need for cybersecurity, you already know you must be NIST compliant if you provide products or services within the federal government supply chain, but what exactly does this mean?
WHAT IS THE SPECIAL PUBLICATION NIST 800-171 r2 ?
NIST is the National Institute of Standards and Technology at the US Department of Commerce and the Special Publication 800-171 (currently undergoing a 3rd revision which will be available soon for the public comment period) governs Controlled Unclassified Information (CUI) in non-federal information systems and organizations and provides guidance as to how CUI should be accessed, shared and stored. As a supplier or sub-contractor to any federal organization, such as the military, you must now assess and document specific security measures that demonstrate your compliance in 14 key areas required in the NIST 800-171r2 standard.
WHAT ARE THE 14 KEY AREAS of NIST 800-171 ?
- Access Control: User and transaction authorization and security.
- Awareness and Training: All personnel are adequately trained in security-related duties.
- Audit and Accountability: Access records individually traceable to all users.
- Configuration Management: Network and security protocols and documentation.
- Identification and Authentication: Authorized user identification with multifactor authentication.
- Incident Response: Incident reporting process and notification (DFARS 252.204-7012) capability.
- Maintenance: Information Systems maintenance routine and control.
- Media Protection: Control access and secure hard copy, digital and portable media.
- Personnel Security: Individual screening prior, during and after personnel actions.
- Physical Protection: Protect and monitor access to IS, equipment and operating environments.
- Risk Assessment: Periodic testing to simulate and monitor Information Systems vulnerability.
- Security Assessment: Periodic testing to demonstrate effective and current IS control.
- System and Communications Protection: 14 security requirements; monitor, control and protect.
- System and Information Integrity: Identify, report and correct IS alerts and flaws.
CMMC 2.0 is finally FINAL!
WHAT IS THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) ?
CMMC is not NIST 800-171. Although there is a great deal of overlap (NIST 800-171 is a foundational component), CMMC is distinctly different than NIST 800-171. CMMC (Note: The DoD is no longer referring to the "1.0" or "2.0" version designator for CMMC) is a combination of cybersecurity standards, controls, processes and practices. CMMC 2.0 can be considered a series of procurement check points that contractors must pass through. It's "how" they handle the NIST 800-171 and 172 controls in their organization. NOTE: SP 800-171 R2 is the version that currently applies to CMMC (but again, V3 is being revised right now).
Contact Network Titan today to talk to an experienced CMMC consultant or schedule your NIST/CMMC Readiness Cybersecurity Risk Assessment.