CMMC 2.0, NIST, and Risk Management
Cyber threats continue to grow in complexity and sophistication. To address this evolution, the Department of Defense has introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0 to ensure that defense contractors maintain robust cybersecurity practices to protect Controlled Unclassified Information (CUI).
To address one of the most important processes in modern security (risk management), CMMC 2.0 includes some risk assessment requirements.
This article will explore risk management’s vital role in achieving CMMC 2.0 compliance and its connection to the National Institute of Standards and Technology (NIST) guidelines, specifically NIST SP 800-171. We will delve into the various control families of NIST 800-171 and 800-172, their impact on risk management, and the steps organizations can take to address potential risks effectively.
How Do CMMC Maturity Levels Impact the Adoption of NIST Controls?
Currently, CMMC version 2.0 is operating under a notional standard as stakeholders in the DoD supply chain assess and provide revisions to the framework. However, one change that seems stable per the mission of the new CMMC version (streamlining compliance) is the reduction of maturity levels from five to three.
Currently, the three maturity levels of CMMC 2.0 are:
- Level 1 (Foundational): This is the introductory level of CMMC 2.0, suitable for low-priority organizations handling FCI (and, in limited circumstances, some less sensitive forms of CUI). At this level, a contractor is only expected to have implemented a subset of 15 controls from NIST Special Publication 800-171.
- Level 2 (Advanced): The core level of CMMC emphasizes an organization’s alignment with the security requirements established by NIST. That means that the contractor must align with 110 controls at this level–the complete list of controls in NIST SP 800-171. This is the level that, by and large, organizations must meet to handle CUI under most circumstances.
- Level 3 (Expert): This level is for contractors handling CUI with much higher threats, specifically those associated with Advanced Persistent Threats (APTs). Level 3 includes requirements for all 110 controls in NIST SP 800-171 plus a subset of controls from NIST SP 800-172.
This article isn’t a deep dive into the nuances of the differences between these levels. Instead, it looks at how one specific family of controls (in this case, risk management) may impact compliance across them.
What Are NIST Special Publications 800-171 and 800-172?
First, a discussion of NIST and CMMC requirements.
NIST 800-171 and NIST 800-172 are publications by the National Institute of Standards and Technology that provide guidelines and recommendations for protecting CUI in non-federal systems and organizations.
- NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”: NIST 800-171 provides guidelines for ensuring the confidentiality of CUI in nonfederal systems and organizations. The publication outlines requirements for basic controls that include authentication, encryption, data privacy, and system and information integrity.
- NIST 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information”: A Supplement to NIST Special Publication 800-171″: NIST 800-172 is an extension to NIST 800-171 that provides enhanced security requirements for protecting CUI against APTs. The enhanced security requirements in NIST 800-172 are intended for organizations with a higher risk of APTs or those handling particularly sensitive CUI.
Risk Management and CMMC
CMMC control requirements are defined by the maturity level of the organization and compliance expectations of the data associated with their task. Both NIST SP 800-171 and 800-172 contain a control family of “Risk Assessment” that may apply to an organization.
- At Level 1, there are no risk management requirements.
- At Level 2, an organization must meet all controls from NIST SP 800-171, including all Risk Management controls.
- At Level 3, an organization must meet everything from NIST SP 800-171 and include certain controls from NIST SP 800-172 as dictated by the contractor’s role in the supply chain.
Both documents contain the “Risk Assessment” family, albeit with different controls.
Risk Management Controls from NIST SP 800-171
The risk assessment control family in this document contains three primary requirements:
- Risk Assessment (Basic Requirement): Organizations should be able to periodically assess risks to and from operations, assets, and individuals. This includes defining system boundaries from which threats may emerge and understanding how operations open up new and compound threats. These assessments can be conducted at almost any formal or informal level and can come during any part of a system development life cycle.
- Vulnerability Scans (Derived Requirement): Organizations should be able to conduct regular vulnerability scans to catch risks and threats as they emerge. This includes the ability to conduct Security Content Automated Protocol (SCAP) validated tools and identify vulnerabilities listed in the CVE database.
- Remediation (Derived Requirement): Once vulnerabilities are identified, the organization should have policies and procedures to remediate these issues.
Risk Management Controls from NIST SP 800-172
NIST SP 800-172 also contains a Risk Assessment family that defines several enhanced requirements for organizations at the highest level of compliance:
- Threat Intelligence (Enhanced Requirement): Organizations should have ways to conduct intelligence-gathering around potential risks to combat evolving threats. This intelligence should inform defining system requirements and architectures, selecting software, and remediating threats.
- Threat Hunting (Enhanced Requirement): Organizations should conduct active threat hunting alongside passive security measures. This can include penetration testing, red team exercises, active intelligence sharing with other organizations, and consulting with security and government agencies.
- Automation and Analytics (Enhanced Requirement): Organizations should look beyond manual security teams and scans and look to automation (potentially including machine learning) to analyze data, take specific actions, and control workflows. These tools should also use analytics to aid decision-making around risk and remediation.
- Documentation (Enhanced Requirement): The organization must have documented rationales for any system security solutions selected, including a risk determination.
- Assessment (Enhanced Requirement): Organizations should be able to assess the effectiveness of their security over time and under dynamic circumstances.
- Supply Chain (Enhanced Requirement): Organizations expanding their risk assessment efforts should do so to incorporate their supply chain (including managed services, cloud services, or other providers).
Learn More About CMMC or Partner with Us for Your Assessment
CMMC is a rigorous standard requiring organizations to undergo third-party assessments. Lazarus Alliance is now a certified third-party assessment organization under CMMC 2.0, one of only a few dozen in the United States.
What does that mean for you? You can trust our decades of experience to help guide you through your assessment process.
Preparing for your CMMC audit? Looking for a C3PAO you can trust? Contact Lazarus Alliance.