NIST 800-171 vs CMMC : understand the difference
Depending on which U.S. government department is your customer, you may be required to meet certain cybersecurity standards and requirements.
You may also be required to comply with a specific cybersecurity standard by one of your partners who is a supplier to the U.S. government.
When access or create fairly sensitive information (CUI), you're going to have to comply with NIST 800-171 or CMMC (Cybersecurity Maturity Model Certification).
In this article, we'll look at the difference between NIST 800-171 and CMMC, and the context in which they apply.
1 - What is NIST 800-171?
NIST 800-171 is a U.S. government cybersecurity standard. It consists of 110 security controls that provide requirements for protecting sensitive unclassified information (commonly known as CUI - Controlled Unclassified Information). These controls are divided into 14 domains.
If you don't use CUI in your business relationship with the U.S. government, you don't need to comply with NIST 800-171
Obligation to comply with NIST 800-171
When you become a supplier/contractor to the U.S. government and access CUI, you are required to comply with NIST 800-171.
There is no NIST 800-171 certification. What is required is that you rigorously apply the 110 controls and that you perform a self-assessment to confirm that you are in full compliance with NIST 800-171.
However, you need to be very careful when self-assessing. The U.S. government may ask you for proof of compliance with NIST 800-171. If the controls in place are different from what is stated in your self-assessment report, you could be accused of fraud. In such a case, you may be barred from applying for U.S. government contracts.
When in doubt, we strongly suggest that you work with a specialized cybersecurity firm with the expertise to help you. That way, you won't make a mistake that could cost you dearly (U.S. government contract closure).
2 - What is CMMC?
CMMC is a new cybersecurity certification issued by the U.S. Department of Defense (DoD). This certification applies to all DoD contractors, subcontractors and suppliers specifically, whatever their sector of activity or location (USA, Canada or anywhere else).
The current version is CMMC 2.0.
CMMC is derived from NIST 800-171 and incorporates its 14 domains. CMMC is composed of 17 domains.
CMMC 2.0 certification levels
There are 3 levels of CMMC 2.0 certification:
- CMMC 2.0 Level 1: if you are accessing US Federal Contract Information (FCI) only.
- CMMC 2.0 Level 2: if you are accessing CUI.
- CMMC 2.0 Level 3: access to more sensitive CUI. Additional requirements must be met to comply with Level 3.
To find out how to determine your CMMC level, please consult this link.
Do I have to comply with NIST 800-171 if I'm CMMC 2.0 certified?
- If you are a DoD-only supplier, all you need to do is comply with CMMC 2.0. However, one of your partners may ask you to show that you are NIST 800-171 compliant. Your CMMC certification should be enough to convince them. A partner may also ask you to submit your SPRS score.
- If you are a supplier to other U.S. government departments (other than DoD) and use CUI, you do not need to comply with CMMC. You need to comply with NIST 800-171. You should also be prepared to submit your SPRS score if requested.
Evaluate your readiness for CMMC 2.0 or NIST 800-171 compliance
We've created a form to help you assess your level of readiness for CMMC 2.0 or NIST 800-171 compliance.
How can StreamScan help you?
StreamScan is a CMMC Registered Provider Organization (RPO) and is officially authorized to support organizations in their CMMC process. We are fully conversant with CMMC and NIST 800-171.
Our cybersecurity experts are available to support you in your CMMC or NIST 800-171 compliance process. We regularly help organizations determine and submit their SPRS score to the US Department of Defense (DoD).
For more details on our CMMC and NIST 800-171 service, visit this link.