NIST 800-171 regulates practices and procedures that must be followed to safeguard the control of Controlled Unclassified Information (CUI) — both physical and digital — that companies of the Defense Industrial Base (DIB) have access to. These guidelines were originally published in 2015 by the National Institute of Standards and Technology (NIST) and are updated regularly to reflect the changing cybersecurity landscape,
How does NIST 800-171 relate to CMMC?
If NIST 800-171 is the standard, CMMC is how you get there.
Enforcement of NIST 800-171 began in 2018, but there was a low rate of compliance across the DIB in subsequent years. To combat that, the DoD created CMMC (Cybersecurity Maturity Model Certification) — a tiered approach that audits and outlines the steps and levels of obtaining base cybersecurity. Based heavily on NIST 800-171 and other cybersecurity standards, CMMC requires documentation of process and procedures as well as management and review of cyber events and verification by a third-party auditor to confirm compliance.
Providing insights into how to properly secure, access, transmit, document and store CUI, NIST 800-171 compliance is at the bedrock of CMMC compliance.
What’s involved in CMMC compliance?
A combination of NIST 800-171 and other cybersecurity requirements, CMMC is a sweeping cybersecurity certification that gauges and assesses how your company should be prepared for and respond to cyber threats.
Documentation is key to proper compliance and CMMC certification. If you can’t prove you’re doing it, you may as well not be.
Who does NIST 800-171 apply to?
Both primary and subcontractors working with the DoD or for another federal agency are now required to meet NIST 800-171 compliance standards. Previously, only companies who directly held contracts with the DoD or federal agencies were required to meet cybersecurity compliance standards. However, as cyberattacks began targeting subcontractors for these organizations, the need for third-parties and their affiliates to meet the same standards became increasingly critical.
Does my company qualify?
When companies manage CUI in any form, whether it’s housed in a third-party system or collected and maintained by a third-party organization, NIST 800-171 applies. This can range from companies that supply IT services down to those who provide janitorial services for federal buildings. Essentially, if a company is part of the DoD and federal supply chain in any form or offers them any kind of service, NIST 800-171 applies.
Examples of companies who need to be NIST 800-171 compliant
Contractors with the DoD,
GSA or NASA
Universities and research
institutions supported by federal grants
Supply chain and manufacturing
companies that support federal agencies
Subcontractors of companies
with DoD contracts
How does my business prepare to become NIST compliant?
The best place to start is to assess where your business currently stands with NIST 800-171 regulations. Comparing the processes and practices outlined in the official NIST 800-171 publication against what your business currently does for cybersecurity can help give you a good sense of what else is needed or what needs to change in order to meet NIST compliance. Taking special attention to look at your documentation efforts, which controls are followed, and how your CUI is managed and accessed can help set you on the course to compliance.
Go Beyond Base Compliance
At Hyper Vigilance, we believe in the value of solid, reliable cybersecurity. When we work with our clients, we do more than prepare them for their CMMC audits — we get them set up to take on whatever the world throws their way. Get a free cybersecurity consultation when you contact the experts at Hyper Vigilance today.