Is it CMMC or NIST 800 171 for your business?
CMMC compliance is still needed even if your company is NIST 800-171 compliant. This ensures you are able to work with DoD contracts and handle federal contract information.
- CMMC Level 1 adheres to Federal Acquisition Regulation (FAR) 52.204-21 standards.
- Level 2 aligns with NIST SP 800 171 directly.
- CMMC Level 3 follows protocols set forth by NIST SP 800 171 and some access controls from NIST SP 800 172.
CMMC or NIST 800 171 for cloud compliance?
Regarding CMMC, the DoD website details: “In accordance with DFARS 252.204-7012 (b)(ii)(D), companies can use commercial instances of cloud offerings as long as the cloud offering meets the security requirements equivalent to the FedRAMP Moderate baseline and as long as the provider meets the requirements of paragraphs (c)-(g) of the clause.”
Regarding NIST SP 800 171 to protect CUI, the rules apply when “a contractor uses an internal cloud to do his own processing related to meeting a DoD contract requirement to develop/deliver a product, i.e., as part of the solution for his internal contractor system. (Example – contractor is developing the next generation tanker, and uses his cloud (not an external cloud service provider) for the engineering design.)” ( 1 )
Businesses using cloud services need to ensure their definition of what is cloud compliance meets the more stringent requirements of federal agencies (such as timely cyber incident reporting of your DoD CUI within 72 hours of discovery).