If your organization has been working towards NIST 800-171 and is now on the journey to achieve CMMC 2.0 (the Cybersecurity Maturity Model Certification) it can be difficult to understand what you’ve already achieved and what’s left to do. Both standards are intended to reduce threats and strengthen cybersecurity for sensitive government data. Here’s some details on how they relate to each other and what’s involved to take the next steps toward CMMC compliance.
The NIST Framework
The NIST Cybersecurity Framework has been established based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. Additionally, it was designed to foster risk and cybersecurity management communications between internal and external organizational stakeholders. NIST compliance is mandatory for US federal government agencies. Any organization that processes or stores Controlled Unclassified Information CUI on behalf of the US government is required to be compliant with NIST 800-171.
The Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the DoD program that enables Defense Industrial Base (DIB) contractors to protect against the compromise of sensitive defense information on contractors’ systems. CMMC is intended to standardize and raise the bar for cybersecurity among DIB contractors. It is essentially a procurement gate that a contractor must pass to be eligible to bid and execute upon a government contract. It uses CMMC third-party assessment organizations to evaluate contractors’ compliance with certain mandatory practices, procedures and capabilities related to evolving cyber threats.
In November 2021, the DoD announced CMMC 2.0. This new revision to the program includes 3 certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure. The 3 levels are tiered and build upon each other’s technical requirements.
Preparing for CMMC 2.0
To date, NIST 800-171 compliance was required, but not officially assessed by the government or any third-party body. DFARS 7019 requires self-assessment using the DoD Assessment Methodology and uploading it to the SPRS (Supplier Performance Risk System) for government contracting officer review.
Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis. Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO or certified CMMC Assessor, and C3PAOs shall use only certified CMMC assessors to conduct CMMC assessments.
Daymark's services team provides the services and solutions required for CMMC readiness. We are an authorized Microsoft Licensing Partner for Microsoft 365 Government Community Cloud (GCC), GCC High and Azure Government and member of the CMMC-AB as a (RPO) Registered Provider Organization.
We help DIB contractors as small as 10 and as large as 6,000 users to:
- Map existing security and compliance policies to CMMC controls and provide gap analysis
- Build secure enclaves using Swivel Seat and green field methodologies
- Design and implement complex hybrid or full cloud IaaS and PaaS secure environment
- Migrate data, applications and systems from existing environments to secure enclaves