The unveiling of CMMC 2.0 last November raised a lot of questions, but also brought a lot of relief. The streamlining of security around Controlled Unclassified Information (CUI) will help defense agencies and contractors better secure their systems without burdening them with operational overhead. This is crucial for organizations who want to support these agencies but don’t know much about either NIST SP 800-171 or NIST SP 800-172, the core documents of CMMC.
Controlled Unclassified Information and CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) was originally announced in 2019 to standardize security assessments for contractors in the Defense Industrial Base (DIB) handling CUI. Prior to the advent of CMMC, contractors were expected to self-assess and self-attest through basic reporting and monitoring against NIST standards. CMMC changed this requirement in a few different ways:
- Third-Party Assessment: Contractors were expected to undergo regular assessments by third-party organizations, known as Certified Third-Party Assessment Organizations (C3PAO). There are no exceptions to this rule, and certification requires sign-off from the C3PAO.
- Five Maturity Levels: Certification streamlines compliance into five maturity levels, rather than functioning as a straightforward security assessment against sometimes complex requirements. A minimum of Level 1 certification was required to handle Federal Contract Information (FCI), while Level 3 was required to handle CUI. Level 5 was designated advanced compliance for specific contract demands around sensitive systems and Advanced Persistent Threats (APTs). Levels 2 and 4 are more aligned as intermediary certifications.
- Waivers: Under the original CMMC certification, no contractor may self-assess, and no exceptions were provided under temporary Plans of Actions and Milestones (POAM). That means that the contractor must meet all requirements during an audit with the C3PAO.
CMMC 2.0, initially published for review in November 2021, shifted some of these requirements:
- Three Maturity Levels: CMMC 2.0 consolidated requirements across different maturity levels, reducing the number to three. Level 1 is entry-level and only requires 17 implemented security practices based on NIST 800-171. Level 2 requires all 110 practices defined in NIST 800-171 and is the minimum level for certification to handle CUI. Level 3 requires everything from Level 2 with additional controls from NIST 800-172.
- Limited Self Assessment: Contractors can perform annual self-assessment at Level 1 certification and, with permission of CMMC governing bodies, perform limited self-assessments at Level 2.
- Waivers Allowed: Under certain circumstances, contractors can fill out POAMs to address areas where compliance falls short.
The move from CMMC 1.0 to CMMC 2.0 streamlined compliance, more in line with NIST 800-171 and 800-172.
What is NIST Special Publication 800-171?
Forming the backbone of CMMC compliance and protecting CUI, NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations” maps out the series of security controls and practices organizations must implement to protect this critical data.
These requirements are broken down into several families, each housing several types of measures or controls addressing specific threats or vulnerabilities.
These control families include the following:
- Access Control: This family includes identity or role-based policies, control access of system resources, control flow within a system for authorized users.
- Awareness and Training: Any program or policy to ensure that users, employees, management and other stakeholders understand threats and best practices, compliance requirements and security policies.
- Audit and Accountability: Creating and maintaining audit logs, ensuring the security of those logs and maintaining the integrity of log data against recording error or tampering.
- Configuration Management: Establishing policies to ensure baseline configurations for security and compliance, and implementing practices to maintain proper configuration of governed systems.
- Identification and Authentication: Creating and managing user identities in the system, authentication methods (passwords, biometrics, MFA) for those identities and using time-sensitive methods like one-time passwords.
- Incident Response: Plan, formalize and implement organizational responsiveness for security incidents, including mitigation and remediation.
- Maintenance: Maintain and deploy regular observation and maintenance operations, including implementing the right tools and platforms to do so.
- Media Protection: Control and prevent access to data-carrying media, including digital (hard disks, removable media) and physical (paper, files).
- Personnel Security: Perform screening and onboarding to maintain CUI security, and implement procedures to protect CUI during employee termination or reassignment.
- Physical Protection: Maintain security for physical systems, including workstations, mobile devices, data centers and facilities housing these kinds of equipment.
- Risk Assessment: Regularly conduct risk assessments derived from comprehensive inventories, vulnerability scans and other types of tests.
- Security Assessment: Regularly review security controls for effectiveness and suitability, plan actions around system correction for unsuitable controls, and continuously monitor these systems.
- System and Communications Protection: Implement continuous monitoring and protections for data-in-transit over networks.
- System and Information Integrity: Map, correct and prevent system flaws that can lead to unwanted or unintended data manipulation, data corruption or lack of auditability of data changes.
In protecting CUI per CMMC 2.0, an organization will essentially implement all controls and capabilities in this document. While initial CMMC certification at level one will only require 17 controls, it doesn’t allow for actual contracting with agencies in the DIB that handle CUI.
Furthermore, while extenuating circumstances may allow for self-assessment, Level 2 certification will usually require full audits from a C3PAO across the entirety of NIST SP 800-171.
What Is NIST Special Publication 800-172
When an enterprise moves to Level 3 of CMMC 2.0, they will be expected to hit all the controls in NIST 800-171 as a bare minimum. Additionally, they will have to implement controls from NIST Special Publication 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”
What does NIST 800-172 bring to the table? Several additions to select control families from NIST 800-171. These changes include the following:
- Access Controls: Use dual-person access controls, leverage organizational limitations to document access and deploy secure data transfer solutions for data transfers.
- Awareness and Training: Deploy awareness training for social engineering and APTs and provide feedback on training performance across the organization.
- Configuration Management: Maintain a central repository for trusted sources of accountability in managing system components, and automate update and monitoring.
- Identification and Authentication: Force authentication for network connections, automate password generation, rotating passwords and identity management in systems without MFA and automate connection control for unauthorized devices.
- Incident Response: Establish Security Operations Centers (SOC) capabilities and house an incident response team to handle security events.
- Personnel Security: Conduct enhanced security screening for employees and implement controls to protect systems in the event that information potentially falls into the wrong hands (namely, employees with access to CUI).
- Risk Assessment: Dedicated resources to organization-wide risk assessment and management, conduct cyber threat hunting activities (penetration testing, red team exercises). Document security plans and continually assess security solutions—monitor supply chain vulnerabilities–in this case, assessments of third-party vendors providing IT and cloud systems.
- Security Assessment: Conduct penetration testing.
- System and Communication Testing: Diversify system components to avoid system-wide vulnerabilities, employ mitigation and confusion tactics to reduce threats, employ isolation tactics to minimize attacks and impacts.
- System and Information Integrity: Verify security and software through cryptography and trust mechanisms, monitor components for suspicious behavior, ensure components are compliant or isolated from CUI, display the ability to refresh components to a previous, trusted state.
Any family from NIST 800-171 not listed in the NIST 800-172 regulations do not have additional components. Additionally, the additions listed here are limited, so make sure to check the actual documentation for full regulations and details.
The main differences between 800-171 and 800-172 revolve around advanced controls–advanced testing, advanced monitoring, active testing and automation. Because CMMC Level 3 addresses significant security challenges like APTs, these additional measures focus on proactive and ongoing security.
Developing NIST Compliance with Lazarus Alliance
As with control compliance regulations, NIST 800-171 and 800-172 fall into predictable reporting and audits. Lazarus Alliance, an experienced cybersecurity firm, is well versed in NIST audits and regulations, government compliance and CMMC certification more specifically.
Are You Preparing for CMMC, NIST 800-171 or NIST 800-172 Certification?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.