Update: This article was first published in December 2021 and was updated in January 2025 to reflect changes to NIST SP 800-171 and the CMMC framework 

Within a short period, NIST updated Special Publication 800-171, the Cybersecurity Maturity Model Certification (CMMC) framework was published, and the DoD introduced new compliance reporting requirements. So organizations need to take urgent action to achieve and evidence compliance with their legally required cybersecurity requirements in order to maintain their eligibility to work on DoD contracts.

While NIST 800-171 and CMMC are two different sets of cybersecurity controls, the new CMMC 2.0 framework is heavily influenced by the NIST Special Publication’s requirements.

What is NIST 800-171?

A part of the US Department of Commerce, the National Institute for Standards and Technology (NIST) is a US government agency that, amongst other things, develops cyber security standards, guidelines and best practices. It develops them to enhance and ensure the ongoing cybersecurity of public and private sector IT networks, therefore protecting US national security interests. Accordingly, NIST have produced a series of publications that list out controls and requirements that federal agencies and commercial entities either must or are advised to utilize.

First published in December 2015, NIST Special Publication 800-171 was introduced to standardize and protect sensitive, but unclassified, government data that resides in private sector IT networks, and thus outside of the federal government’s purview. It is specifically designed to safeguard Controlled Unclassified Information (CUI), and an obligation to comply with the publication’s requirements is stipulated in the contract between a contractor and the government.

So any organization that processes or stores CUI on behalf of the US government is required to be compliant with NIST 800-171. This would typically include the likes of DoD and NASA contractors, labs and research institutions in receipt of federal funding, as well as service providers to the US government. Updated in May 2024, NIST 800-171 contains 97 requirements, each of which mitigates cybersecurity vulnerabilities or strengthens an element of the network.

The application of each requirement ensures an organization’s systems, network, and employees are properly prepared to safely handle CUI. Compliance with NIST 800-171 by contractors who handle sensitive information helps strengthen the federal supply chain and protect government data. It also ensures a unified baseline standard of cybersecurity for all contractors, and their respective subcontractors, who have access to CUI.

For those with NIST 800-171 and CMMC 2.0 compliance requirements, Nipper can reduce time, resource, and workload pressure by automating your compliance assessments and providing a report with information on any issues found and any applicable evidence.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program established by the US Department of Defense to assure the cybersecurity of the defense industrial base (DIB), through establishing a clear requirements framework for contractors. The DIB supply chain includes more than 300,000 companies, all of which are responsible for protecting sensitive, but unclassified, government data under the CMMC.

Following a review by the Biden Administration, the CMMC pilot program was suspended and the revised CMMC 2.0 model announced. 

The CMMC 2.0 framework is composed of three levels of cybersecurity maturity, with each level building on the prior levels. It consists of various practices and processes and draws heavily on NIST 800-171.

The three levels in the CMMC 2.0 model are as follows:

• Level 1 – Foundational (15 security practices)
• Level 2 – Advanced (97 security practices, which reflect the 110 requirements in NIST 800-171)
• Level 3 – Expert (121 requirements)

The earlier version of CMMC required both prime contractors and their subcontractors to be certified as fully compliant at the appropriate CMMC level – as defined in RFPs – before award and commencement of the work.

However, in CMMC 2.0, the acceptance of Plan of Action and Milestones (PoAM) reports was announced, meaning that contractors who do not fully comply could be allowed to initiate work on a contract whilst committing in detail how they will meet any unfulfilled CMMC requirements in the future. This latest version also allows waivers to CMMC requirements under certain limited circumstances.

As DoD contractors rely on sub-contractors from around the world, many international organizations may find themselves now subject to CMMC compliance rules.

What is the main difference between NIST standards and CMMC?

Until recently, NIST 800-171 compliance was required but not officially audited by the government or any third-party body, leaving US government contractors responsible for implementing and ensuring compliance with the requirements. While cybersecurity compliance is now monitored for DoD contractors, assessments are still their responsibility, and scores must be uploaded into the SPRS. For US government contractors subject to NIST 800-171 outside of the DoD, there is currently no requirement to submit any type of compliance reporting.

For CMMC, organizations that must meet Level 1 are required to perform annual self-assessments. Those DIB contractors subject to Level 2 and Level 3 must be assessed every three years by an outside third party – a C3PAO for Level 2 and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 3.  

For organizations working towards CMMC compliance, or preparing for their official assessment for level 2 or level 3, tools are available to measure and evidence compliance with the security practices of the CMMC framework. Titania Nipper can accurately and automatically determine compliance with CMMC 2.0 and NIST SP 800-171 (Rev 3) controls related to network devices. Our virtual modelling reduces false positives and identifies exact fixes to help you stay secure and compliant.

Nipper enables teams to rapidly address misconfigurations and issues raised as areas of non-compliance through the provision of the exact technical fixes required to secure the device and ensure ongoing compliance.

Nipper is a valuable tool for those with NIST 800-171 and CMMC compliance requirements. Request a free trial to see how the software can benefit your organization.

Matt Malarkey