In an effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Department of Defense (DoD) issued the requirements of NIST 800-171 in 2016.  This publication required that organizations who fulfill contracts for the DoD implement certain controls to protect the FCI and CUI that they consume, transmit, store and create.  After several years of this requirement use, the DoD determined that it was not sufficient for protecting the targeted data and evolved the program to the Cybersecurity Maturity Model Certification (CMMC).  While it has had several iterations, the key differences between the old program and the latest version of the new program are outlined below.

NIST 800-171:

  • Scope: NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) within non-federal systems and organizations that work with federal contracts. It is a set of guidelines for these organizations to ensure data protection.
  • Structure: The framework is divided into 14 control families, totaling 110 controls that cover a wide range of cybersecurity practices, including access control, risk management, and incident response.
  • Implementation: NIST 800-171 is a self-assessment framework. Organizations are responsible for implementing the required controls and attesting that they have done so effectively.
  • Certification: There is no formal certification process for NIST 800-171. Compliance is usually assessed during contract audits or government reviews.

CMMC 2.0:

  • Scope: CMMC 2.0 builds on NIST 800-171 but introduces a tiered approach to cybersecurity, covering a broader scope of information security practices. It aims to standardize cybersecurity requirements across the Defense Industrial Base (DIB).
  • Structure: CMMC 2.0 has three levels, down from the original CMMC’s five levels. These levels are:
    1. Level 1: Focuses on basic cybersecurity practices, covering 17 controls from NIST 800-171. This is applicable to organization that only work with Federal Contract Information (FCI).
    2. Level 2: Aligns with NIST 800-171’s 110 controls but introduces an assessment requirement for certain contracts involving CUI.
    3. Level 3: Aims at advanced cybersecurity practices, similar to CMMC 1.0’s Level 5, but with fewer overall requirements.
  • Implementation: CMMC 2.0 requires third-party assessments for levels 2 and 3, especially those dealing with sensitive contracts or CUI. Level 1 relies on self-assessment, similar to the process in NIST 800-171.  In addition, they have integrated a Plan of Actions and Milestones (POAM) process for organizations that are not yet fully compliant but have a plan for getting there.
  • Certification: CMMC 2.0 introduces formal certification for certain levels. Level 2 contracts involving CUI require third-party certification, while Level 1 relies on self-assessment.

Key Differences:

  • Scope and Structure: CMMC 2.0 is broader than NIST 800-171, with a tiered approach to cybersecurity, while NIST 800-171 has a single set of controls.
  • Certification and Assessment: CMMC 2.0 introduces a formal certification process for certain levels, requiring third-party assessments, whereas NIST 800-171 relies solely on self-assessment and government audits.
  • Implementation: CMMC 2.0 has stricter requirements for third-party assessments at higher levels, providing a more robust approach to compliance compared to NIST 800-171’s self-assessment model. There is also a POAM model for organizations with a plan for becoming compliant.

In summary, CMMC 2.0 builds on NIST 800-171 but with added structure and formal certification at certain levels, aiming to create a more consistent and reliable approach to cybersecurity across the defense industry.  We understand that it can be challenging to comply with or even understand what is required for someone in the DIB to be CMMC compliance.  This is why we have built a resource library to guide you on your CMMC compliance journey.