CMMC v2.0 vs NIST 800-171: Understanding the Differences

The U.S. Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. 

With over 250,000+ DIB companies and their subcontractors involved in the sector, including domestic and foreign entities, the supply chain presents a huge threat to sensitive federal and unclassified information, and ultimately, to national security.  

Various government agencies have developed cybersecurity frameworks intended to keep up the standards of security required around government information. Each has played its part in driving high levels of security and each has influenced the other. We will take a look at the two central cybersecurity frameworks employed by the US Government to mitigate supply chain risk and talk about some of the significant changes happening right now.

CMMC v2 versus NIST 171

What is the NIST-171?

The NIST (National Institute for Standards and Technology) is a US Government agency that helps other federal departments manage their risks and is well-known for developing cybersecurity standards and frameworks. Their collection of best practices and guidelines drive the cybersecurity of public and private organizations and play a huge part in protecting national security. Notably, NIST has developed a number of special publications developed especially for federal agencies to regulate the cybersecurity infrastructure of third parties or contractors with whom they work.

The NIST SP 800-171 lays out the requirements for any non-federal agency that handles controlled unclassified information (CUI), or other sensitive federal information. It details how organizations should protect this information. First published in 2015, the goal is to strengthen the federal supply chain and ultimately protect national security as a whole. 

The “800-171”, as it’s known, is made up of 110 controls divided into 14 control families, and takes around half a year to implement. It’s important to note that there is no certification to prove compliance with this framework. It was originally developed to provide guidance to the DFARS clause (the Defense Federal Acquisition Regulation Supplement)- the original cybersecurity requirements from the DoD. 

DFARS & NIST 800-171

Since DFARS is still a listed requirement in most government contracts, if you are bidding on a contract or have been awarded the work, you’ll need to be compliant with all 110 NIST 800-171 controls in order to fulfill the DFARS clause. DFARS does not address the CMMC at all but a new clause is currently being drafted for this purpose.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a collection of cybersecurity requirements that the Department of Defense (DoD) obligates their contractors and subcontractors to meet in order to reassure them that they uphold the required security standards. It was created by the DoD to arm the DIB with the tools to meet evolving cybersecurity threats and to safeguard the information within. DoD contractors are able to prove their cyber maturity levels by achieving the requirements set out at each stage.

Version 1.0 of the standard was created back in January 2020 in response to the increasing compromise of defense information via their vendor networks. CMMC is based on both DFARS and NIST 800-171 and includes all 110 controls and more. 

CMMC Version 1.0 was originally made up of 5 maturity levels. Each level builds upon the preceding level. To graduate through the levels of maturity of version 1.0, you needed to demonstrate both the technical practices and maturity processes of each level, starting at level 1. 

CMMC Version 1.0
Level 117 practicesBASIC
Level 272 practices, 2 processesINTERMEDIATE/TRANSITION
Level 3130 practices, 3 processesGOOD
Level 4156 practices, 4 processesPROACTIVE/TRANSITION
Level 5171 practices, 5 processesADVANCED

In March 2021, the DoD undertook an internal review of the CMMC and announced significant changes in November 2021. The updated CMMC Version 2.0 has condensed 5 levels into 3 levels, which we’ll expand upon below.

If the CMMC is largely based on NIST 800-171, why did the DoD need to create the CMMC? 

Unfortunately, due to the lack of certification, the DoD found that contractors were claiming to uphold all of the NIST 800-171 standards but in reality, they were not. DoD decided that it was necessary to develop a certification process to ensure that contractors were compliant with a basic set of cybersecurity controls: the CMMC.  

Recent Updates to the NIST 800-171 and the CMMC

NIST 800-171 

Whilst it was required contractually from all federal contractors to uphold 800-171, it was not audited in the past and it would be up to each agency to check on their vendors compliance. 

In 2020, the Department of Defense (DoD) began to demand a self-assessment using a points based system to prove compliance from defense contractors- an honor system, if you will. After completing the self-assessment, contractors must submit their scores to the DoD’s Supplier Performance Risk System (SPRS). An SSP (System Security Plan) is also required, containing comprehensive details of the organization’s networks, systems, processes, policies and security controls. Until this point, contractors needed to have everything in place in order to receive and commence work. 

CMMC Version 2.0

The new version of CMMC has been restructured into 3 levels to better reflect how mature and reliable a company’s cybersecurity infrastructure is. It eliminates all the maturity processes from the previous version, removes v1.0 levels 2 & 4 which didn’t achieve much, and with that, removed the delta 20 practices.

In a significant move, the DoD introduced the Plan of Actions and Milestones (POAM) where organizations who have not yet fully implemented 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline. This POAM is submitted before work begins and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171.

CMMC Version 1.0CMMC Version 2.0ModelAssessment Requirement
Level 1 – (Based on DFARS)LEVEL 1 Foundational17 practices -from NIST 800-171No third party assessment. Do an annual self-assessment and upload score to SPRS
Level 2
Level 3 – (NIST 800-171 )LEVEL 2Advanced110 practices – aligned with NIST 800-171Critical CUI handlers will be assessed by a C3PAO three times a year. Handlers of non-critical CUI will only need a self-assessment, like level 1.
Level 4
Level 5 – (NIST SP 800-172)LEVEL 3Expert*Over 110+ practices based on NIST 800-172Government-led assessment three times a year.
  • CMMC certifications can only be issued by a Certified 3rd Party Assessment Organization (C3PAO) but no company has yet been “certified to certify”. 
  • Criticality has not yet been defined which is important to keep in mind for those attempting level 2 maturity. 
  • Guidance has been published to allow companies to prepare for its upcoming implementation, predicted to be within 18-24 months. 
  • *Expert Level 3 has not yet been developed and will be based on NIST SP 800-172.

Harmonizing NIST 800-171 and CMMC v 2.0

NIST 800-171 is an incredibly worthwhile voluntary cybersecurity framework designed to safeguard CUI on the networks of third-party government contractors and subcontractors. CMMC is a soon-to-be mandatory framework that draws from the 800-171 and 800-172.

The introduction of CMMC v 2.0 is the result of risk mitigation effort, where self-attestation failed. While the DoD works on finalizing the new rules and certifications, companies are encouraged to boost their cybersecurity efforts in preparation. 

NIST 800-171 will act as a bridge for those who want to achieve compliance with CMMC. Avoid last minute stress and pressure to comply by beginning to prepare now. It will take time and plenty of information is available to make a worthy start.

To begin preparing your organization for CMMC compliance, see how Centraleyes’ modern GRC solution can automate your efforts and prepare you with NIST 800-171 to meet the upcoming CMMC v2.0.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days