What Does NIST/CMMC Compliance Mean?
In our previous article we looked at what NIST means in the context of cyber security. In this article we’ll take a closer look at what it means to be NIST compliant. NIST compliance is mandatory for all U.S. federal agencies as of 2017. As a result, if your company is doing work for the federal government your company will need to be compliant as well. If you are doing business strictly in the private sector, then the use of the NIST security frameworks is voluntary.
Compliance with NIST means aligning your business with the guidance of a particular NIST standard. The NIST framework is comprehensive. The portions of NIST that apply to your organization will depend on its size and industry. As an example, both NIST 800-53 and NIST 800-171 are common, and both use attestation as proof of compliance.
The Cybersecurity Maturity Model Certification (CMMC) is a little different. CMMC is an emerging cyber security framework which covers much of the same scope as NIST 800-171. CMMC builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component to the cybersecurity requirements. CMMC is applied in levels. It’s designed to be affordable for small business to implement at the lower levels. CMMC uses accreditation as proof of compliance. If you need to comply with the CMMC model you will need 3rd party certification. Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) can issue CMMC certificates to businesses.
When Does My Business Need to Be NIST Compliant?
Most businesses will need to be NIST compliant to bid on contracting opportunities within the government’s bidding portal. This can vary by government department, but most Federal agencies, such as the DoD, require you to submit a statement that confirms you are compliant when submitting your bid. However, most large government contracts are bid by huge companies who are, in turn, responsible for completing the work themselves or hiring smaller subcontractors that are NIST compliant. This means that if you would like to be listed as a vendor for one of these larger companies working with the government, you should have your NIST certification complete.
What NIST Security Standard do I need to Comply with?
So far, we have mentioned three main security standards, NIST 800-171, NIST 800-53, and the newer CMMC model. Which one you need to be compliant with depends on what branch of the government you are doing business with and what formal business arrangements have been made. At this point most organizations doing business with the U.S. government will need to comply with NIST 800-171 or NIST 800-53. Carefully go over your contract with an expert and identify which designation you must meet. This is something we at Cubed Corps can help with. By working through your contract with you we can help ensure that you are on the right path to compliance.
Is There a NIST 800-171 Compliance Handbook to Follow?
You can find all the compliance information for NIST 800-171 on their government website linked here. The documentation section on the right side of the page includes downloadable publication files you can check out for reference. Chapter 3, of the first document, lists all of the requirements that may be helpful to get you started.
Are There Any Checklists or Spreadsheets Available About NIST Certification?
There is a Cyber Security Evaluation Tool we have found helpful that has different requirements for NIST 171, 800-53, etc. We also have developed an explanation checklist to help you understand the different sections of NIST 800-171 Certification that can be accessed here.
What is The First Step in any NIST 800-XXX?
The first step in understanding security certification is to audit your contracts to see what security standard is required. This will then allow you to look into all of the requirements for that certification process. Each certification has different requirements that can sometimes cross over into one another, but it is important to make a list of all the certifications that your contracts require first.
How Long Does It Take to Become NIST800-171 Compliant?
The answer to this depends on the size and complexity of the organization. Small organizations may take as little as a month while larger organizations may take years to fully complete all the required changes. Much of the process requires creating processes, auditing vulnerabilities, and ensuring standards are in place to protect and monitor security moving forward. This process can be expedited if you are working with an experienced consultant who has worked through the process before. Currently, for NIST 800-171 there is no certification body to certify against, so the process really does go as fast as your organization can complete the requirements.
How Can I Prepare Now For Cybersecurity Maturity Model Certification (CMMC)?
It’s important to know what level of the CMMC will be required for your organization. Most contractors have access to minimal controlled unclassified information (CUI) to supply the DoD and other agencies requiring CMMC certification. These businesses need the lowest level of CMMC because they have access to CUI such as a few email addresses and order quantities for items such as paper products or cleaning supplies. The more CUI your business requires access to in order to complete your work, the higher the level of certification. Review some of the current bidding opportunities currently available to see what level is required for the type of contracts your business is seeking to compete with, and you will be able to understand the level you should pick for CMMC. If you have a specific question about your business’ CMMC certification, please don’t hesitate to contact us! We’re more than happy to help you get started.