If your organization often works with the US government, involved in various businesses, you’ll surely understand the importance of compliance. Also, you must already be aware that sensitive information shared with the organization outside the government, is put through the highest security standards.
The National Institute of Standards and Technology (NIST) is a non-statutory federal agency that establishes automation, metrics, and standards to drive ingenious and lucrative competitiveness for all US-based companies in the science and technology industry.
As a part of this endeavor, NIST also produces standards and regulations to assist confederate agencies to meet the obligations of the Federal Information Security Management Act (FISMA). Precisely, NIST develops Federal Information Processing Standards (FIPS) in congruence with FISMA.
Furthermore, NIST special Special Publication (SP) 800-53 and NIST 800-171 are two common decrees with which the companies need to comply with, those who are working within the federal supply chain.
NIST and NIST Compliance
In 1901, Congress established the National Institute of Standards and Technology. NIST is also the nation’s one of the oldest applied science laboratories. It is a part of the US Department of Commerce, and its foundation is based on the removal of the major challenges of US industrial competitiveness that it faced during the 1900s.
As a part of NIST, the Information Technology Laboratory (ITL) promotes the US economy and public welfare by advancing technical efficiency and leadership for the nation’s measurements and standards infrastructure. This was one of the major reasons for the establishment of NIST- the US second-rate measurement infrastructure lagged the capabilities of the United Kingdom and other rival economies at that time.
Hence, the answer to the question, “What is NIST?,” in present times is that NIST develops and issues guidelines, standards, and other publications to abet in directing the cost-effective programs to safeguard information and the information system of the companies in the federal supply chain. NIST provides resources that IT security, compliance, and risk management professionals in all industries recognize and utilize as a standard for best practices.
Cybersecurity practices and compliance is a vital part of any business that takes place with the US government. NIST has been a major strength behind the IT security initiatives in the past three decades. If you’re directly involved in business with the government, the contract will essentially include technological requirements for compliance with cybersecurity standards. If you are a subcontractor or indirectly doing business with the US government, there are hardly a few cybersecurity standards that you have to comply with at the least.
As cybersecurity becomes the focal point of all major industries, protecting the federal chain of supply has become important now more than ever.
What is NIST Compliance?
As stated earlier, there are companies that directly or indirectly provide goods and services to the Federal government. These companies are hence required to meet certain security standards set by NIST. The NIST Special Publication 800-53 and NIST 800-171 are two common mandates which the companies working within the federal supply chain may need to comply with.
NIST 800-171 is the first exposure to the compliance mandate set by the federal government for small businesses or subcontractors who are not directly dealing with the government. The established contractors who have been working with the government for some time now, are already habitual to compliance mandates that they need to comply with such as NIST SP 800-53.
NIST SP 800-53 publication is an exhaustive guide to securing federal information systems. Generally, DoD prime contractors and those working under these major contractors need to abide by NIST SP 800-53 if they are operating the federal information system representing the government. They also need to comply with NIST SP 800-53 when the government mentions the requirements of the mandate in their contracts.
On the other hand, NIST 800-171 is for all subcontractors, whether they are working for a prime contractor or any other subcontractor that is working within the federal supply chain. All the subcontractors working within the federal chain must comply with NIST 800-171.
NIST 800-171 Elaborated
While the government published the revised version of NIST 800-171 in February 2020, it first became effective on 31st December 2017.
In contrast to all the previous security mandates that primarily impacted only the prime contractors, NIST 800-171 is the first one to include the subcontractors under its fold. Companies that are further down the supply chain will now have security compliance requirements that they need to adhere to if they want to keep working with the prime contractors.
All organizations that are involved in processing, storing and transmitting potentially sensitive information for the DoD, GSA, NASA and any other state agencies need to accept NIST standards and comply with it. This will also include all the contractual agency relationships that become a part of this process.
NIST 800-171 mandate is for the protection of “Controlled Unclassified Information” (CUI). CUI is the information that is created by the government or an entity on behalf of the government, that is unclassified yet needs protection. Hence, to be eligible to be part of federal contracts, the subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or the prime contractors they are working with on a project, not directly to the government.
NIST outlines a set of regulations that traces the processes and procedures a company needs to follow and implement to safeguard information. The NIST guidelines outline how to access, share, and store the CUI in a secure way.
FIPS Publication 200 and NIST SP 800-53 draws the requirements recommended in the publication of NIST 800-171. The NIST SP 800-53 forms the moderate security control baseline that covers security controls for the US federal information system excluding those related to state safety. The NIST security obligation and administration have been carefully determined over a stretched period of time, to provide the necessary protection to federal information and systems under the FISMA.
Also, when you comply with NIST 800-171, you also fulfill most of the criteria of NIST SP 800-53, as NIST 800-171 is a sub-unit of NIST 800-53.
Method of Compliance with NIST 800-171
- Hiring an outside dealer to do a security assessment.
- Performing in-house self-assessment and self-attestation.
- Blend of the two methods.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard implemented by the United States Department of Defense (DoD). This unified program increases the security of companies operating in the government supply chains. The first version of the CMMC came out in January 2020, and a minor update to Version 1.02 was made in March 2020.
The plan is to gradually migrate from NIST 800-171 to the CMMC framework later this year. CMMC will unfurl moderately, and eventually replace the NIST 800-171 compliance. Commencing September 2020, some RFPs will include the CMMC requirements, and by 2026, all DoD contractors will require CMMC.
No Self- Attestation
Previously, the NIST framework allowed self-attestation for all companies. However, with the new CMMC framework in place, there is no option for self-attestation. The CMMC framework will require all organizations within the supply chain seeking compliance to work with an accredited, independent third-party company to perform a CMMC assessment.
Levels of CMMC
The CMMC maturity processes ensure the systemization of cybersecurity activities so that they are consistent, repetitive, and of a high standard. The framework contains five maturity processes and 171 cybersecurity best practices spanning across these five maturity levels. These practices also provide a range of mitigation across the levels. Right from basic protection at level one, to extensive protection of CUI at level three, and finally culminating with reducing risks from Advanced Persistent Threats (APTs) at higher levels of four and five.
These levels are comprehensive with both security control and the processes that enhance a company’s cybersecurity. The DoD’s expectation with the companies is that they’ll meet both the processes and practices to meet a given level which is stipulated by the department for a company.
Hence, the level that a subcontractor needs to meet may not be the same as their prime contractor. The DoD contracts determine a specific level that a subcontractor or a prime company should meet. It may be that smaller companies will only need to meet level one or two to continue working in the supply chain.
Safeguarding Federal Contract Information (FCI)
Level One Practices:
- Firewall with monitoring
- Segment and control public-facing connection
- Device inventory
- Software inventory
- User and access management
- Log and escort visitors
- Badges and keys
- Data disposal
- Update systems
- Acceptable Use Policy
- Access Control Policy
- Physical Security Policy
- Asset Management Policy
Level two is the transitioning step in cybersecurity maturity progression to protect CUI
Level Two Practices
- CMMC level one completion
- System event logging/retention
- Awareness and role training
- Hardware/software inventory
- Secure baselines
- Multi-factor authentication (MF) for remote access
- Conduct, test, and encrypt backups
- Vulnerability scanning and remediation
- Identify unauthorized use
- Incident response procedures
- And many more…
- Vulnerability Management Policy
- Data Transfer Policy
- Incident Response Policy
- Password Policy
- Secure Baseline Policy
- Change Management Procedure
- Teleworker Policy
- Data Classification
- Information Security Policy
Level three Practices
- CMMC level two completion
- 800-171 controls
- No POA&M items
- Offsite backups
- Centralized logging
- Risk assessments
- Continuous monitoring
- DNS filtering
- Many more…
- Social Media Policy
- CUI Handling Procedure
- Information Security Plan
Protection of CUI and prevention of Advanced Persistent Threats (APTs)
Level Four Processes: Reviewed
It contains a full review of past practices for effectiveness. It also includes a glimpse of higher-level management of status or issues on a periodic basis.
Level Four Practices: Proactive
This level requires companies to be proactive in safeguarding the CUI from APTs. The NIST SP 800-171B demands enhanced detection and response capabilities from the organizations.
Protecting CUI and reducing the risk of APT.
Level Five Processes: Optimizing
This will require an organization to take corrective action towards improving process implementation across the organization.
Level Five Practices: Advanced/Proactive
Enhanced depth and sophistication of cybersecurity capabilities.
The Overlap of NIST 800-171 and CMMC
Since the CMMC framework will take some time to be fully effective, there will be a period where both- the CMMC and NIST 800-171 will be in effect. From September 2020, some RFPs will include CMMC requirements.
Hence, suppliers working under DoD contracts may be complying with NIST 800-171 on some contracts, and CMMC on others. Also, there is a direct relation of NIST 800-171 with CMMC level three requirements.
Please note that no existing contracts will have CMMC requirements inserted into them. These levels and requirements are for future contracts. You will need these certifications at the time of award to win a contract.
NIST 800-171 is the foundation of the CMMC progression levels and requirements. The NIST 800-171 contains fourteen families of requirement and within that, a total of 110 individual requirements. The CMMC levels one to three encompasses the110 security requirements and there are 171 total practices across the five levels of CMMC.
What is CUI?
CUI means all the unclassified information created by the government, or an entity on behalf of the government, but needs safeguarding. CUI, although not firmly regulated by the federal government, is sensitive information that is relevant to the interests of the US and its national security.
These are information that resides in your company’s internal systems. CUIs are also referred to as “Covered Defense Information”. The “Covered Contractor Information Systems” stores all unclassified information. This indicates the unclassified information owned by a contractor and that processes, stores, and transmits covered defense information.
System Security Plans (SSP) and Plan of Action with Milestones (POA&M)
For contract initiation and renewal with prime or other subcontractors, contractors need to show proof of compliance with NIST 800-171. Therefore, they maintain and develop formal documents for submission to these DoD contractors. These documents include a Systematic Security Plan (SSP) and a Plan of Action with Milestones (POA&M).
These Documents will have a value for the companies and add in the strengthening of their security postures, however, they are not sufficient for CMMC compliance. The written plans to meet the compliance will also need an assessment from an accredited third-party organization.
Companies who have developed a POA&M to meet all the controls of NIST 800-171, may not be meeting all of them currently. While in the past, they could compete with other companies who took the effort to meet all the controls. Having these documents will surely have its advantage and provide a competitive edge to the companies to meet all the CMMC requirements.
With CMMC, there is no option of self-attestation and hence, there is no POA&M in CMMC. However, the development of SSPs and POA&M does offer value to the company for internal planning purposes.
Who Needs to Comply?
All the companies and organizations in the federal supply chain should comply with NIST 800-171. If an entity is dealing with government-controlled unclassified data, they’ll need to comply with NIST 800-171 or CMMC depending on their contract.
Organizations that typically deal with this kind of information include universities, research institutes, consulting companies, service providers, and manufacturers, especially the prime contractors in the manufacturing industry. These entities have CUI on-premise, typically stored on a cloud-based, or provider-based system application. Also, companies that solely produce Commercial-Off-the-Shelf (COTS) products do not require CMMC.
The compliance process and standards must be met by everyone who processes, stores, and transmits potentially sensitive CUI for the DoD, GSA, NASA, or other federal and state agencies. These contractual agency relationships then flow down to the subcontractors and hence, the compliance process is not just limited to prime contractors. The repercussions of not complying with the requirements can lead to the loss of customers.
On the brighter side, companies that have embarked on the efforts to comply with NIST 800-171 or CMMC, will have a competitive advantage in the market. Also, one can make significant progress on the path to comply with NIST SP 800-53, when they comply with NIST 800-171 or CMMC.
Do Only Manufacturers Need to Comply?
Although manufacturers account for a significant number of companies complying with NIST 800-171 and CMMC, there are many other organizations who need to comply with these requirements.
Anyone who deals with CUI must comply with government regulations. This may include engineering organizations, procurement services companies, fleet management companies, and staffing firms, in addition to manufacturing companies. All the companies in a federal chain, prime and subcontractors, and any other contractors face an impact of CMMC and NIST 800-171 models at differing intensity.
NIST 800-171 Security Families
The NIST 800-171 Publication has fourteen different security families of IT security requirements in NIST 800-171.
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- Systems and Communication Protection
- System and Information Integrity
CMMC Potential Domains
The requirements of CMMC levels have similarities with NIST 800-171, mostly at the first three levels.
1. Access Control (AC)
- Set-up system access requirements.
- Administer internal system access.
- Administer remote system access.
- Restrict data access to sanctioned users and processes.
2. Asset Management (AM)
- Identify and document assets.
- Manage asset inventory.
3. Audit and Accountability (AU)
- Define audit requirements.
- Perform auditing.
- Identify and protect audit information.
- Review and manage audit logs.
4. Awareness and Training (AT)
- Conduct security awareness activities.
- Conduct training.
5. Configuration Management (CM)
- Establish configuration baselines.
- Perform configuration and change management.
6. Identification and Authentication (IA)
- Grant access to authenticated entities.
7. Incident Response (IR)
- Organize incident response.
- Discern and describe events.
- Create and execute a response to a declared incident.
- Accomplish post-incident reviews.
- Assess incident response.
8. Maintenance (MA)
- Manage maintenance.
9. Media Protection (MP)
- Identify and mark
- Protect and control media.
- Sanitize the media.
- Protect media during transport.
10. Personnel Security (PS)
- Screen personnel
- Protect CUI during personnel actions.
11. Physical Protection (PE)
- Limit physical access.
12. Recovery (RE)
- Manage backups.
- Manage information security continuity.
13. Risk Management (RM)
- Identify and evaluate risk.
- Manage risk.
- Manage supply chain risk.
14. Security Assessment (CA)
- Develop and manage a system security plan.
- Define and manage controls.
- Perform code reviews.
15. Situational Awareness (SA)
- Implement threat monitoring.
16. Systems and communications protection (SC)
- Define security requirements for systems and communications.
- Control communications at system boundaries.
17. System and Information Integrity (SI)
- Identify and manage information system flaws.
- Identify malicious content.
- Perform network and system monitoring.
- Implement advanced email protections.
NIST Requirements- Briefly Described
Within the above mentioned fourteen families, there are a set of basic and derived security requirements that must be evaluated and established. Across these fourteen families, there are another 110 individual items that must be verified.
There are four main groups that summarize the requirements of NIST 800-171:
- Control: Data management controls and processes.
- Monitoring and Management: Real-time monitoring and management of defined IT systems.
- End Users Practice: Documented, well defined, end-users practices and procedures.
- Security Measures: Implementation of defined security measures.
Cost of NIST Compliance
Cost to comply with NIST depends on multiple factors such as the size of the organization, types of technology you are already using, and want to upgrade, how much CUI do you hold, for which level do you want the compliance certificate and many more.
Generally, assessments by an outside party for very small organizations is between $5,000-$7,500 range. The cost can scale up depending on the number of employees, physical locations, and systems that need assessment.
The two major factors that will impact costs are processes and technology. A security-savvy company that already has the processes in place, will need assessment. Hence, companies having a modern workstation and the latest software will usually have less workload than companies who need to upgrade their traditional technology.
What if Someone Doesn’t Comply?
NIST is a non-regulatory agency of the Department of Commerce, USA. Although the auditors won’t scan your premises for scrutiny, it will put your contract at risk.
There are repercussions for being non-compliant. Whenever it comes to an auditor’s notice that a company has not achieved compliance, they risk losing the contract. An auditor can ask a prime contractor about their plan of compliance with the NIST 800-171 mandate. Similarly, the prime contractors can also ask for the compliance plan from their subcontractors.
If one does not comply with the NIST 800-171 mandate or does not have a plan for the compliance process, they will no longer be eligible for any future contract with the DoD. If a government contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list.
In the context of CMMC, a contractor will not be able to participate in a contract unless the company meets the requirements. There are no fines involved, however, you’ll no longer be able to participate in DoD contracts.