NIST 800-171 and CMMC

Network Titan provides NIST and CMMC Implementation Services in San Diego and throughout Southern California.

We remove CMMC compliance guesswork for DoD contractors so your company meets the over 100 mandated requirements of the Special Publication NIST 800-171 R2 and the 15 different key areas of the Far clause 52.204-21. We assist organizations that handle FCI and CUI prepare for certification by a C3PAO. Compliance at some level will become necessary to conduct business with the federal government when stipulated in your contract or award.

WHAT IS THE SP NIST 800-171 r2 ?

NIST is the National Institute of Standards and Technology at the US Department of Commerce. The Special Publication 800-171 (currently undergoing a 3rd revision) governs Controlled Unclassified Information (CUI) when it is stored, processed or transmitted in non-federal organizations and information systems. As a supplier or sub-contractor to any federal organization, such as the military, you must now assess and document specific security measures that demonstrate your compliance with the SP NIST 800-171 R2 framework.

WHAT ARE THE 14 KEY AREAS of NIST 800-171 ?

  • Access Control: User and transaction authorization and security.
  • Awareness and Training: All personnel are adequately trained in security-related duties.
  • Audit and Accountability: Access records individually traceable to all users.
  • Configuration Management: Network and security protocols and documentation.
  • Identification and Authentication: Authorized user identification with multifactor authentication.
  • Incident Response: Incident reporting process and notification (DFARS 252.204-7012) capability.
  • Maintenance: Information Systems maintenance routine and control.
  • Media Protection: Control access and secure hard copy, digital and portable media.
  • Personnel Security: Individual screening prior, during and after personnel actions.
  • Physical Protection: Protect and monitor access to IS, equipment and operating environments.
  • Risk Assessment: Periodic testing to simulate and monitor Information Systems vulnerability.
  • Security Assessment: Periodic testing to demonstrate effective and current IS control.
  • System and Communications Protection: 14 security requirements; monitor, control and protect.
  • System and Information Integrity: Identify, report and correct IS alerts and flaws.

CMMC 2.0 is FINAL!

WHAT IS THE CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) ?

CMMC is not NIST 800-171. Although there is a great deal of overlap (NIST 800-171 is a foundational component), CMMC is distinctly different than NIST 800-171. CMMC (Note: The DoD is no longer referring to the "1.0" or "2.0" version designator for CMMC) is a combination of cybersecurity standards, controls, processes and practices. CMMC can be considered a series of procurement check points that contractors must pass through. It's "how" they handle the NIST 800-171 and 172 controls in their organization. NOTE: SP 800-171 R2 is the version that currently applies to CMMC however V3 is on the horizon as the eventual standard.

Contact Network Titan today to talk to an experienced CMMC consultant or schedule your NIST/CMMC Readiness Assessment