To safeguard sensitive national security information, the Department of Defense (DoD) launched NIST- 800-171, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.
Suppliers to DoD, the defense contractors, and their supply chain, are required to comply with the 110 controls of NIST-800-171 in order to be considered as qualified suppliers.
NIST-800-171 framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level in proportion with the risk from cybersecurity threats.
Under the NIST-800-171 program, DIB contractors are required to implement certain cybersecurity protection standards, and as required, perform self-assessments, conduct information security vulnerability assessment, develop a System Security Plan (SSP) as well as a Plan of Action and Milestones (POA&M) to address any controls that have not been implemented. The NIST score, the name of the SSP and the date when all the controls will be implemented, must be entered in the DoD's SPRS website.
The CMMC 2.0 compliance levels range from Foundational (Level 1) to Expert (Level 3). At Level 1, CMMC requires for contractors and applicable subcontractors to verify through self-assessment that all applicable security requirements outlined in FAR clause 52.204–21 have been implemented. This self-assessment must be performed annually and the results must be entered electronically in the Supplier Performance Risk System (SPRS) (see § 170.15 for details on CMMC Level 1 Self-Assessment requirements and procedures, and specifically § 170.15(a)(1)(i) for the information collection).
For CMMC Level 2, contractors and applicable subcontractors are already required to implement the 110 security requirements currently required by the DFARS clause 252.204–7012, which are aligned with NIST SP 800–171 Rev 2.
For CMMC Level 3, when CMMC becomes a final rule, contractors and applicable subcontractors will be required to implement the 24 selected security requirements from NIST SP 800–172. CMMC Level 2 is a prerequisite for CMMC Level 3.
NIST SP 800-171, Revision 3 has been presented as a Final Public Draft with the comment period closed.
Using a variety of industry standard tools, FY Consulting can scan your IT assets for security vulnerabilities, open ports and services, and to identify opportunities to harden assets against attack. We provide detailed reports from the assessment that identify vulnerabilities found by level of severity along with correction and remediation guidance to improve your organization's overall information security posture.
FY Consulting can also assist you in conducting a gap analysis against the NIST requirements, develop your SSP, the POA&M and help you become fully compliant with the 110 controls. We can also help companies currently using commercial cloud services such as Microsoft M365 migrate to Microsoft's Government Community Cloud (GCC and GCC High) to facilitate NIST-800-171/CMMC compliance.
For additional information, email frank@fyconsulting.com or call 908-875-7466.
We'd love to hear from you! If you are in need of ISO Family of Standards, Regulatory or Cybersecurity Compliance Support Services, call us at 908.875.7466 or fill out and submit this form. A member of our team will get back to you shortly.
.svg){kind=logo}
.svg)
.svg)
.svg)
.svg)
.svg)