Are NIST 800-171 and CMMC the same thing?

NIST SP 800-171 is a special publication put out by the National Institute of Standards and Technology (NIST) that addresses Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It is a document that puts forth a minimum standard of cybersecurity protections for organizations working with the Federal Government. The requirements are derived from the controls in NIST SP 800-53, which the NIST Cybersecurity Framework (CSF) is based on.

The upcoming Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD) makes implementation of NIST SP 800-171 mandatory for bidding on and being awarded any contract work with the DoD. This includes both prime contractors and subcontractors.

When you hear the buzz around "CMMC compliance," what that means is there will soon be regulation in place to enforce adherence to NIST SP 800-171. The compliance portion is the self-assessments and certifications performed by/for an organization; the cybersecurity portion is the actual controls and tools put in place in the organization to implement NIST SP 800-171. CMMC 2.0 has 3 levels of maturity, with Level 2 being full implementation of NIST SP 800-171 and Level 3 being full implementation of NIST SP 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171).

Image from ControlCase

But why the need for CMMC if the NIST framework already existed? Simply, the DoD needed a way to verify organizations contracting or subcontracting with it are reaching a minimum level of cybersecurity. This is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

CMMC is not required for organizations that do not work with the DoD. It is a DoD only regulation, once again, where the prime contractor or subcontractor handles FCI or CUI. So organizations that use NIST CSF as their security framework but don't work with the DoD don't need to be CMMC compliant.

So in a nutshell, are NIST SP 800-171 and CMMC the same thing? Kinda. If your organization has already been implementing NIST SP 800-171, CMMC compliance will be a breeze. If you haven't, I suggest starting the process now so you are ready by time CMMC goes live (estimated 2025). Implementing security controls does not happen overnight. You will need to undergo a security and technology review to determine where you are currently at, and then create a roadmap for controls that still need to be implemented.

We can help you do this at TotalCare IT. Give us a call today to learn more.