Making sense of NIST 800-171, CMMC and related DFARS clauses
There is an alphabet soup of acronyms and security requirements for the defense industrial base. This blog will help you understand what each relevant requirement is and how they all relate to each other.
NIST 800-171r2 is a subset of controls from the NIST 800-53 catalog of controls that was tailored to provide contractors and agencies with recommended security for protecting the confidentiality of Controlled Unclassified Information (CUI) when CUI is in the possession of and managed by any nonfederal contractors that make up the Defense Industrial Base (DIB). It is a security framework comprised of 110 controls and 320 security objectives and also includes an appendix of 60 nonfederal organization (NFO) controls that are expected to be in place as well. As the name indicates, this is a standard set by NIST, not the DoD or the Cyber AB who are the agencies that enforce the adoption and assessment of compliance with security standards, respectively. More on that later.
NIST 800-171r3 is the latest revision of 171 and a draft version was released in May 2023. Barring any additional changes as a result of suggestions submitted during the comment period the NFO controls from 171r2 will be explicitly incorporated, 24 controls will be withdrawn but incorporated elsewhere and three new families of controls will be included: planning, systems and services acquisition and supply chain risk management.
Cybersecurity Maturity Model Certification (CMMC) is a program developed by the DoD to enforce compliance with security requirements within the DIB. CMMC will have 3 levels, 2 of which have already been defined, with the expectation that level 3 will be defined in the next draft, expected in the fourth quarter of 2023. Contractors that must comply with the first level are organizations that possess and manage Federal Contract Information (FCI) only. Level 1 security requirements are based on FAR 52.204-21 and include just 17 controls. CMMC Level 2 is based on NIST 800-171r2 and requires third party assessment by a Certified Third Party Assessment Organization (C3PAO). The next draft of CMMC is expected to be a proposed ruling, meaning there will be a review period that may take a year, or it may come out as a proposed ruling, meaning it may take effect within 60 days.
Defense Federal Acquisition Regulation (DFARS) 252.204-7012, otherwise known as DFARS 7012, is the federal requirement that all defense contractors must implement the controls specified in NIST 800-171, flow down clauses to subcontractors that will be in possession of CUI, and to also report cyber incidents in a timely fashion. DFARS 7012 has been in effect since December 2017 and does not specify a version of the security standard NIST 800-171. Accordingly, it is expected that DFARS 7012 will require contractors to comply with NIST 800-171r3 once r3 is finalized.
DFARS 252.204-7019 (DFARS 7019) – This is the DoD’s requirement that DIB contractors conduct self-assessments against their compliance with NIST 800-171 and to report their scores in the Supplier Performance Risk System (SPRS). DFARS 7019 reinforces the 7012 mandate to implement the NIST 800-171 controls. Also implicit in this requirement is that contractors need to have a well-documented systems security plan (SSP) and formalized plans of action and milestones (POAMs) against any controls that are currently not met.
DFARS 7020 – This clause further strengthens the security requirements by mandating that contractors must give the DoD access to systems, personnel and facilities for a medium or high assessment, should the government wish to do so. It also mandates that any contractor with subcontractors that have flow down clauses must ensure that those subcontractors also report their 171 scores in SPRS.
DFARS 7021 – Last but not least, 7021 will require contractors to maintain the appropriate Cybersecurity Maturity Model Certification (CMMC) level as soon as CMMC is fully in effect. Companies requiring CMMC Level 2 because they require CUI for contract performance will need to be third party assessed for conformance with the CMMC Level 2 security requirements, and currently the CMMC L2 requirements are NIST 800-171r2.
To summarize, currently, DIB members must comply with NIST SP 800-171 r2 per DFARS 7012, report those scores in SPRS per DFARS 7019, agree to DoD assessments and ensure subcontractors report scores in SPRS per DFARS 7020, and then once CMMC is in effect, they must schedule and pass third party assessments conducted by an authorized C3PAO if they are in possession of CUI, per DFARS 7021.
It is interesting to note that since CMMC requires third party assessments, it will take time to train and certify assessors on an updated version of the security standard (NIST 800-171r3). However, it is likely that DFARS 7012 will adopt NIST 800-171r3 soon after the standard is finalized, so the actual security requirements to comply with 7021 via a CMMC assessment may have a smaller compliance footprint for organizations seeking certifications (OSCs) than 7012 soon will, even though the compliance process will be more expensive and require additional time. It is also possible that companies may be motivated to prepare for earlier adoption of CMMC since 171r2 is better understood at this point than 171r3.