Is the Department of Defense a customer of yours? Do you know how CMMC will impact your business? You will likely need to meet CMMC Level 3 if your DoD contracts require mandates from DFARS 7012 and the new clauses in the DFARS 70 Series, and (consequently) apply NIST 800-171 to your information systems. This primer will help you identify the requirements needed for a success implementation. In addition, the following content will better prepare your company for the Cybersecurity Maturity Model Certification (CMMC) evaluation.
This primer explains requirements, including CMMC domains and NIST control families, to help businesses identify what is needed for handling Controlled Unclassified Information (CUI) content in your IT systems.
Topics Covered
How Does NIST 800-171 Impact Contractors and CMMC?
What is an SSP and POA&M and Why is it Important?
Overview of NIST 800-171 Control Families and CMMC Domains
What is NIST 800-171 and How does it relate to CMMC?
The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life. Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems. NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.
NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely catered to federal organizations. The framework consists of 14 Control Families, whereas CMMC contains 17 Domains.
NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities. For Government Contractors supporting the Department of Defense (DoD), CMMC Level 3 and DFARS 7012 require NIST 800-171 compliance across information systems and policies.
How Does NIST 800-171 Impact Contractors and CMMC?
Eventually many federal contracts, beyond DoD, will soon require NIST 800-171 compliance in within FAR cybersecurity requirements, successful preparation for compliance is essential for businesses providing services to the DoD and non-DoD agencies. In the near term, NIST 800-171 is foundational to DIB contractors because DMCA is actively assessing how their companies' organizational IT systems satisfy the requirements for DFARS 7012. CMMC has also introduced an additional expedience because it requires contractors to be certified at time of contract award or prior.
Depending upon your business' previous investments and current security posture, it may be cost effective to implement security solutions that satisfy NIST 800-171 by using Cloud Solution Providers (CSP) and other cloud services. Improving security with a CSP like Microsoft and leveraging their Office 365 (O365) / Microsoft 365 (M365) collaboration stack may more affordably meet your organizational requirements. Alternative, but equally effective, security measures may compensate for the inability to satisfy a particular requirement within NIST 800-171. NIST 800-53 provides recognized alternative security standards as organizations plan for NIST 800-171 compliance.
What is CUI?
Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) are relatively new markings, but similar markings have a long history within the government. CDI is an umbrella term that encompasses all CUI and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. In the past, the government used many different markings to identify this kind of information. You may have seen or used some of these in the past: Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc. These are now all rolled up into the classification of CDI content. Clear as mud…. Right? No one said this was easy….
CDI as a category encompasses both CTI and CUI. CTI is defined as technical information with a military or space application that is marked with a distribution statement in accordance with DoDI 530.24 (Distribution Statements on Technical Documents). In general, the controlling Department of Defense (DoD) office is responsible for determining if information is CTI and properly marking it prior to contractor access to the information. However, if a contractor develops unclassified CTI in the performance of a contract, the contractor must work with the contracting officer to ensure that the appropriate forms are completed, statements of work are in place and distribution statements are assigned to each piece of content. This content must be protected at the same level as other CDI and CUI content; it just has special marking and tracking requirements.
Click Here for a Full Overview of CUI, CDI, CTI, and More
What is an SSP and POA&M?
For starters, a System Security Plan (SSP) is an iterative document meant for updates as the company changes anything substantive about its security posture. Much like a well-kept Wikipedia page, every major update or remediation needs to be recorded and reviewed by other individuals. Information like network diagrams, administration roles, company policies, and security responsibilities by employee type are important for a complete SSP.
For the purposes of NIST 800-171 and CUI requirements, the SSP includes the necessary information about each system in your environment that processes, stores, and transmits CUI. This information includes security configurations or capabilities that are currently or intended to be implemented, and each capability is expressly tied to specific security requirements and controls. Furthermore, the SSP defines how each of these systems interact between one another (flow of information and shared authentication/authorization), as well as how they behave separately.
If the SSP is the collective details of a business' security posture and system(s) profile, the POA&M is the honey-do list. Each company's POA&M is likely different because it includes information about weaknesses and gaps according to NIST 800-171 standards, as well as the risk posture for each respective gap and any mitigating steps the company intends to make. We often suggest similar entries into each of our clients' POA&M's; however, not every company will decide to address every risk in the same way. After all, these are business decisions with operational and financial implications.
Bottom line: you have to possess a complete SSP and POA&M in order to conduct work for the Federal Government. A "complete" SSP is a working and living document nevertheless, and a "complete" POA&M really is an empty document once you configure Office 365 and your other systems properly.
Although NIST 800-171 did require organizations to have a POA&M, CMMC is not going to require contractors to have a POA&M; a SSP will be required.
NIST 800-171 Requirements and Control Families and CMMC Domains
NIST 800-171 is a comprehensive set of requirements containing 28 basic security requirements and 81 derived security requirements. That’s a total of 110 requirements across the entire scope of NIST SP 800-171! CMMC contains 17 Domains and 171 Practices.
Many of these controls or practices can be technical and/or procedural. Some of them are handled by your Cloud Service Provider if you are moving into a Cloud environment. Below is a snapshot of each NIST Control Family and associated CMMC Domains.
CMMC: Access Control (AC)
NIST: 3.1 Access Control
The Access Control family is one of the largest control families in NIST 800-171. In general, this control family specifies controls around limiting system access to authorized users and making sure that those authorized users are only able to do specified actions based on the company policies. All requirements in Access Control family requirements are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure.
NIST Basic Requirements: 2
NIST Derived Requirements: 20
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Awareness and Training (AT)
NIST: 3.2 Awareness and Training
Ensuring managers, administrators and end users receive the proper security and awareness training on both usage of the information system, as well as insider threats, is essential to satisfying NIST 800-171 Awareness and Training requirements. All three of the requirements specifically map to the Awareness and Training (AT) family in NIST 800-53 and are handled with procedural controls. They do not require a technical control; however, a control enhancement might be implementation of a learning management system to maintain electronic training records.
NIST Basic Requirements: 2
NIST Derived Requirements: 1
Procedural Controls: Yes
Technical Controls: No
CMMC: Audit and Accountability (AU)
NIST: 3.3 Audit and Accountability
Audit and Accountability requirements focus specifically on ensuring that organizations audit generation and reporting capabilities sufficiently support proper security monitoring and management needed for a secure environment. These requirements map directly to the NIST 800-53. Most of these controls require both a procedural and technical implementation. You can read more about Control Family 3.3 here.
NIST Basic Requirements: 2
NIST Derived Requirements: 7
Procedural Controls: Yes
Technical Controls: No
CMMC: Configuration Management (CM)
NIST: 3.4 Configuration Management
Configuration Management requirements focus on ensuring organizations have a formalized change control and technical controls that ensure processes are appropriately followed across your entire IT enterprise. Remember, the entire enterprise includes servers, services and client systems. This extensive set of requirements may require creation of governance processes or significant modifications. All requirements maps directly to the Configuration Management (CM) family in NIST 800-53 and include procedural and technical controls. You can read more about Control Family 3.4 here.
NIST Basic Requirements: 2
NIST Derived Requirements: 7
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Identification and Authentication (IA)
NIST: 3.5 Identification and Authentication
Pay special attention to the Identification and Authentication requirements which ensure that systems are properly identifying users and processes acting within an IT environment. Multi-factor Authentication in NIST 800-71 is one of the primary requirements in this control family and it is a big deal! These requirements map directly to the Identification and Authentication (IA) family in 800-53 and like some of the previous categories, this family requires both procedural and technical controls across almost all requirements. You can read more about Control Family 3.5 here.
NIST Basic Requirements: 2
NIST Derived Requirements: 9
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Incident Response (IR)
NIST: 3.6 Incident Response
Don’t be fooled. The Incident Response family only has three requirements; however, implementation of these efforts is significant. NIST 800-171 Incident Response (IR) requirements map to NIST 800-53 Incident Response (IR) requirements and ensures processes exist to respond to operational incidents and report to the government. Testing is the key to success for the third-party requirement once processes and controls are implemented. We can’t stress this enough; test, test, test!
NIST Basic Requirements: 2
NIST Derived Requirements: 1
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Maintenance (MA)
NIST: 3.7 Maintenance
Implementations with Cloud Service Providers have fewer maintenance requirements for NIST 800-171 compliance. Cloud Service Providers (CSP) provide the hardware maintenance and disposal. However, there is a requirement that speaks directly to Multi-factor Authentication for remote maintenance sessions that can be tricky. This family maps directly to the Maintenance (MA) Family in NIST 800-53.
NIST Basic Requirements: 2
NIST Derived Requirements: 4
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Media Protection (MP)
NIST: 3.8 Media Protection
Worried about moving to a CSP? The Media Protection (MP) requirements may provide the cost justification needed to make the switch from on-premises to a CSP. Media protection controls are derived from NIST 800-53 MP and Contingency Planning (CP) Family. The requirements focus on the protection of CUI content in both paper and digital mediums. Both policy and technical controls are required. Organizations using a CSP may have many controls included as a component of standard datacenter services. Learn more about Media Protection here.
NIST Basic Requirements: 3
NIST Derived Requirements: 6
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Personnel Security (PS)
NIST: 3.9 Personnel Security
Personnel Security (PS) requirements are primarily handled via procedural controls outside of the purview of an IT system. However, there are components that require user access to be properly revoked upon termination or transfer. This is the smallest family within NIST 800-171 and relates directly to the Personnel Security (PS) Family in NIST 800-53.
NIST Basic Requirements: 2
NIST Derived Requirements: 0
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Physical Protection (PE)
NIST: 3.10 Physical Protection
This family of requirements include procedural controls outside of the IT system management. Physical protection is a big deal for on-premises enterprises. Physical Protection may be especially challenging and expensive for small businesses. Alternatively, an approved CSP can provide a cloud environment that meets NIST 800-171 physical protection requirements. These requirements map directly to the Physical Protection domain within CMMC. Read more about Physical Protection and how elements of these requirements are met in Office 365 GCC High.
NIST Basic Requirements: 2
NIST Derived Requirements: 4
Procedural Controls: Yes
Technical Controls: No
CMMC: Risk Management (RM)
NIST: 3.11 Risk Assessment
Risk Management requirements are primarily a procedural and paper-based exercise. The derived requirements are technical in nature directly aligned with the RA family in NIST 800-53. There are three requirements which relate to identifying and remediating vulnerabilities in the information system. Size and complexity of the information system will determine the size of this effort. Beware, this could be a significant effort.
NIST Basic Requirements: 1
NIST Derived Requirements: 2
Procedural Controls: Yes
Technical Controls: Yes
CMMC: Security Assessment (CA)
NIST: 3.12 Security Assessment
CMMC Security Assessment requirements include periodic and continual assessments. The purpose of these assessments is to identify and close any gaps that may present themselves during system operation. There are only three requirements, but they work as a loop that ensures continual improvement and control. This control family relates specifically to the Security Assessment and Authorization Management in NIST 800-53.
NIST Basic Requirements: 3
NIST Derived Requirements: 0
Procedural Controls: Yes
Technical Controls: No
CMMC: System and Communications Protection (SC)
NIST: 3.13 System and Communications Protection
Pay close attention to System and Communications Protection requirements because they are one of the largest and most complex tasks to implement. This family of controls ensures that organizational information systems include sufficient monitoring, controlling and protection of all communications, internally and externally. Implementation requires significant procedural and technical controls. Requirements map across multiple NIST 800-53 families, including portions of both System and Services Acquisition Management (SA) and Security Control (SC) Families.
NIST Basic Requirements: 2
NIST Derived Requirements: 14
Procedural Controls: Yes
Technical Controls: Yes
CMMC: System and Information Integrity (SI)
NIST: 3.14 System and Information Integrity
System and Information Integrity requirements is primarily focused on ensuring that malware and other malicious code do access information system. Additionally, these requirements identify potential attacks and indicators of potential attacks. Procedural controls for this family are straight forward for most organizations. However, technical implementation of the controls for on-premises environments can be challenging given the speed and frequency with which attacks and their attackers change tactics. This requirement set maps to the Systems and Communications Protection (SI) Family in NIST 800-53.
NIST Basic Requirements: 3
NIST Derived Requirements: 4
Procedural Controls: Yes
Technical Controls: Yes
Preparing for CMMC and DFARS Compliance Audits
Audits of any kind have the potential for varying interpretations by different auditors, and CMMC looks to remedy this through an open and explicit process. A good place to start your understanding, if you have an Office 365 tenant, is this overview of CMMC Level 3 requirements.
Small businesses should “Prepare Early and Test Often”. If CMMC and DFARS compliance is an essential element of your business success than be sure to do it right the first time. If you do it incorrectly, you will only end up doing the work a second or third time and small businesses can’t afford to pay for the same work three different times. You will also need to start with a solid SSP and POA&M as discussed previously.
For most contractors that have some semblance of an SSP and POA&M, the business will likely need a gap analysis to identify what steps are needed to bring their existing O365 environment to a compliant state OR they will need to configure their new O365 environment to NIST 800-171 prior to migration.
O365 GCC High can be configured to presently slated CMMC standards, with appropriate licensing, and be NIST 800-171 compliant (or at least to the 65 or so technical controls that apply). Additionally, Microsoft agrees to support all requirements for DFARS as part of this environment. This environment was previously available only through an enterprise agreement, requiring 500 or more licenses. Through the Microsoft AOS-G program, it is now available to all organizations with a requirement to manage CUI/ITAR data or have a DFARS 7012 clause in one of their contracts.
