Making sense of NIST 800-171, CMMC and related DFARS clauses
There is an alphabet soup of acronyms and security requirements for the defense industrial base. This blog will help you understand what each relevant requirement is and how they all relate to each other.
The Requirements
NIST 800-171r2 is a subset of controls from the NIST 800-53 catalog of controls that was tailored to provide contractors and agencies with recommended security for protecting the confidentiality of Controlled Unclassified Information (CUI) when CUI is in the possession of and managed by any nonfederal contractors that make up the Defense Industrial Base (DIB). It is a security framework comprised of 110 controls and 320 security objectives and also includes an appendix of 60 nonfederal organization (NFO) controls that are expected to be in place as well. As the name indicates, this is a standard set by NIST, not the DoD or the Cyber AB who are the agencies that enforce the adoption and assessment of compliance with security standards, respectively. More on that later.
NIST 800-171r3 is the latest revision of 171 and a draft version was released in May 2023. Barring any additional changes as a result of suggestions submitted during the comment period the NFO controls from 171r2 will be explicitly incorporated, 24 controls will be withdrawn but incorporated elsewhere and three new families of controls will be included: planning, systems and services acquisition and supply chain risk management.
CMMC is a program developed by the DoD to enforce compliance with security requirements within the DIB. CMMC will have 3 levels, 2 of which have already been defined, with the expectation that level 3 will be defined in the next draft, expected in the fourth quarter of 2023. Contractors that must comply with the first level are organizations that possess and manage Federal Contract Information (FCI) only. Level 1 security requirements are based on FAR 52.204-21 and include just 17 controls. CMMC Level 2 is based on NIST 800-171r2 and requires third party assessment by a Certified Third Party Assessment Organization (C3PAO). The next draft of CMMC is expected to be a proposed ruling, meaning there will be a review period that may take a year, or it may come out as a proposed ruling, meaning it may take effect within 60 days.
DFARS 7012, is the federal requirement that all defense contractors must implement the controls specified in NIST 800-171, flow down clauses to subcontractors that will be in possession of CUI, and to also report cyber incidents in a timely fashion. DFARS 7012 has been in effect since December 2017 and does not specify a version of the security standard NIST 800-171. Accordingly, it is expected that DFARS 7012 will require contractors to comply with NIST 800-171r3 once r3 is finalized.
This is the DoD’s requirement that DIB contractors conduct self-assessments against their compliance with NIST 800-171 and to report their scores in the Supplier Performance Risk System (SPRS). DFARS 7019 reinforces the 7012 mandate to implement the NIST 800-171 controls. Also implicit in this requirement is that contractors need to have a well-documented systems security plan (SSP) and formalized plans of action and milestones (POAMs) against any controls that are currently not met.
This clause further strengthens the security requirements by mandating that contractors must give the DoD access to systems, personnel and facilities for a medium or high assessment, should the government wish to do so. It also mandates that any contractor with subcontractors that have flow down clauses must ensure that those subcontractors also report their 171 scores in SPRS.
Last but not least, 7021 will require contractors to maintain the appropriate Cybersecurity Maturity Model Certification (CMMC) level as soon as CMMC is fully in effect. Companies requiring CMMC Level 2 because they require CUI for contract performance will need to be third party assessed for conformance with the CMMC Level 2 security requirements, and currently the CMMC L2 requirements are NIST 800-171r2.
To summarize, currently, DIB members must comply with NIST SP 800-171 r2 per DFARS 7012, report those scores in SPRS per DFARS 7019, agree to DoD assessments and ensure subcontractors report scores in SPRS per DFARS 7020, and then once CMMC is in effect, they must schedule and pass third party assessments conducted by an authorized C3PAO if they are in possession of CUI, per DFARS 7021.
It is interesting to note that since CMMC requires third party assessments, it will take time to train and certify assessors on an updated version of the security standard (NIST 800-171r3). However, it is likely that DFARS 7012 will adopt NIST 800-171r3 soon after the standard is finalized, so the actual security requirements to comply with 7021 via a CMMC assessment may have a smaller compliance footprint for organizations seeking certifications (OSCs) than 7012 soon will, even though the compliance process will be more expensive and require additional time. It is also possible that companies may be motivated to prepare for earlier adoption of CMMC since 171r2 is better understood at this point than 171r3.
About the author
Amy Williams
Vice President of CMMC
Amy Williams began her career in Accounting Information Systems, a precursor to cybersecurity that imbued her with the talents and knowledge that she uses today. A member of multiple fields of study, Dr. Williams has ample experience understanding fraud, system errors in internal systems, and internet security protection. She has been on the forefront of developing cyber strategies for supply chains since the world wide web made the internet popular for sharing data in business. With both a Master’s Degree and PhD from Virginia Tech, Amy Williams has held prestigious positions with the NY Crime Commission where she built an alliance with the FBI, and she led the development of BlueVoyant's CMMC and CIS Advisory Practices prior to joining Coalfire Federal. Back to Full Bio