man typing on a laptop

Comparing NIST and CMMC

If you’re one of the 300,000 contractors and subcontractors working on projects for the DoD, you’ve likely heard of CMMC. You might have spent the past year thinking of little else. While there’s a lot of information floating around about the new compliance requirements, there are also many unanswered questions and a massive amount of tension surrounding the standards. For many contractors and subs, the big question is why. This is usually followed by the comparison of CMMC and NIST, and the question of whether companies will be required to perform double the safety measures of past standards. To better understand the answers to these questions, it helps to learn why NIST standards, and now, CMMC came about. While NIST and CMMC are similar and use some of the same regulations, there are some distinct differences. NIST provides a major part of the framework for CMMC, but CMMC also offers answers for some of the problems that plagued the delayed rollout and lack of success with the implementation of NIST. The two are parts of a complete system designed to target modern cybersecurity threats and address the compliance issues that have defeated attempts of effective cybersecurity in the past. This guide will help contractors understand why both NIST and CMMC came about and the similarities and differences between the two.

The Complete Guide to Cybersecurity Logging and Monitoring

The Implementation of NIST Standards for DoD Contractors

NIST SP 800-171 was published in 2015 by the National Institute of Standards and Technology (NIST) to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations (like the associated contractors and subcontractors). The standards were introduced in 2018 as a set of recommended security requirements for protecting the confidentiality of CUI.

NIST SP 800-171 was derived from DFARS Clause 252.204-7012 which requires contractors and subcontractors to safeguard covered defense information, report cyber incidents, submit malicious software, and facilitate damage assessment. These standards were the same for all contractors involved with any type of DoD contract. All DoD contractors are required to abide by DFARS to implement NIST SP 800-171 standards. However, contractors were required to self-certify and “flow” compliance down to subcontractors. Under this model, organizations used the NIST standards to create and implement a cybersecurity plan. Self-certification required a contractor to state they were compliant or working toward a plan of compliance, that aligns with the 110 standards outlined in NIST SP 800-171.

To comply with government-level cybersecurity threats, NIST standards are all-encompassing and can be complicated to decipher and implement. This meant many contractors weren’t in complete compliance. Additionally, when a compliance issue came to light, remediation plans were lenient, allowing the contractor to outline a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M). These plans could take several months to implement, and the contractor could continue the contract in the meantime. With these difficulties, adoption rates of NIST compliance among DoD contractors remained low.

The Introduction of CMMC to Ensure DoD Cybersecurity Standards Are Met

The difficulties and reluctance surrounding NIST compliance meant government agencies needed a better solution. With ever-increasing cybersecurity breaches, contractors and subcontractors without proper security measures presented a dangerous vulnerability. Even those companies without access to vital information offer a doorway for hackers to get into the systems they target. Largely based on the framework of NIST SP 800-171, CMMC was introduced on January 31, 2020, as a more comprehensive cybersecurity solution for DoD contractors and subcontractors.

Instead of requiring every contractor to meet the same stringent security levels, CMMC created levels of security compliance standards based on the needs of the specific government contracts. This way, a contractor with a specific level of CMMC can bid on projects requiring that security level. While CMMC levels begin with the implementation of certain NIST standards, the upper levels include additional practices and processes to increase security to match growing threats. CMMC will be implemented across all DoD contracts over a phased rollout system to be completed by 2026.

Similarities of CMMC to NIST

The NIST standards enforced by DFARS and CMMC have the same goal which is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) in the possession of contractors and subcontractors. The standards set by NIST were useful in meeting this goal. Still, it would be difficult to define the complete implementation of the standards as anything more than a failure. Using the same standards, CMMC creates a more digestible format with clearly defined markers of compliance and penalties for non-compliance.

While CMMC seems like an entirely new set of regulations, it’s worth noting that DoD contractors already compliant with NIST are a step ahead when it comes to meeting lower levels of CMMC compliance. Understanding these similarities between the NIST standards and CMMC levels can help alleviate some of the stress surrounding CMMC compliance.

CMMC Level 1 is Completely Composed of NIST Standards

Level 1 CMMC requires DoD contractors to meet only the first 17 basic cyber hygiene practices outlined by NIST SP 800-171 Rev1. Defined as basic cyber hygiene, this is something every company (whether bidding on government contracts or not) should strive to achieve. For most DoD contractors and subs, Level 1 CMMC is something that’s been a part of your cybersecurity process all along.

The Implementation of NIST and CMMC are both Derived from DFARS

Remember, DFARS 252.204-7012 is designed to require DoD contractors to provide adequate security through a series of reporting standards. An easy way to see the connection is to consider CMMC as a vehicle to achieve NIST compliance. The goals and standards are the same, but CMMC changes the methods to make the system more easily adaptable and efficient.

Complete Compliance with NIST SP 800-171 Provides Many of the Requirements for Level 3 CMMC 

Defined as “good cyber hygiene, managed,” Level 3 CMMC requires contractors to implement all 110 NIST standards outlined in NIST SP 800-171 plus 20 additional new controls. If you are successfully applying all of the required NIST standards, most of the work to meet the most common levels of CMMC is already complete. Furthermore, it’s estimated that the majority of DoD contractors and subcontractors won’t be required to reach the highest levels of CMMC to continue the types of contracts they typically win.

Your MSSP Can Help 

If you work with a qualified managed security service provider (MSSP) to achieve NIST compliance, the same company can likely help you prepare for your CMMC audit. Your MSSP uses a variety of professional processes and tools to help companies and organizations in all industries achieve various levels of cybersecurity compliance. Using these tools to assess your company’s weaknesses and implement new cybersecurity strategies can put you on the right path to achieving your target level of CMMC compliance.

Differences Between CMMC and NIST

While there are many similarities between NIST and CMMC, there are some notable differences. After all, CMMC was created to provide a process that addresses the slow adoption rate of NIST and to improve cybersecurity to match increasing threats. When studying the differences between NIST and CMMC, you’ll understand how CMMC is designed to function more efficiently for the wide range of contractors who serve the DoD and the advanced nature of cybersecurity threats.

Levels of Compliance 

The CMMC introduces levels of compliance instead of requiring all contractors to implement the entire spectrum of NIST SP 800-171 standards. While this might seem more complicated, further investigation reveals it’s a good thing for most contractors and subcontractors. Since many DoD contractors won’t need the security required for levels 4 and 5, they’ll face fewer regulations than under the NIST model. In many cases, likely, organizations that require Level 1 CMMC are already using the processes they’ll need to obtain certification.

Third-Party Certification

Self-certification and SSPs with a POA&M were a big part of the NIST compliance model. CMMC requires DoD contractors and subcontractors to implement and document the security measures outlined by the specific NIST standards then pass a performance audit to certify compliance. Instead of each contractor using personal criteria to self-certify, all DoD contractors and subcontractors will be required to be tested by a CMMC third-party assessment organization (C3PAO). This means organizations will be required to seek out an appointed C3PAO and schedule an audit to achieve the target level of CMMC.

Compliance Required to Participate 

When the phased rollout of CMMC is complete, all DoD contractors will have to prove compliance at the correct level before even being allowed to bid on a contract. This is the big reason contractors are encouraged to start the task of preparing for compliance as early as possible. Under NIST 171, contractors were able to self-certify and address issues with a long-term POA&M while working on a contract. By 2026, under CMMC, contractors and subcontractors won’t be able to renew existing contracts with the DoD or bid on new ones without the proper certification in place.

Subcontractors Must Prove Compliance 

In the past, prime contractors were responsible for ensuring the compliance of the subcontractors they contracted, but subs weren’t required to prove or document compliance. Under CMMC, all contractors and subs will be required to prove certification that aligns with the information they’re required to handle. This means many more companies and organizations will be required to participate. Although subcontractors will be required to take care of the implementation of CMMC standards and prove compliance at their target level, prime contractors still hold some responsibility for their subs. If any subcontractors working on a DoD contract aren’t compliant with the CMMC level required for the project, the prime contractor is deemed non-compliant.

The Cost of Non-compliance 

While NIST required mandatory compliance, the response to failures in compliance wasn’t exactly threatening. Since DoD contractors could continue working on projects while addressing cybersecurity issues, the remediation plans often weren’t taken care of quickly. Non-compliance with CMMC will work differently because of the process of certification. Initially, contractors will lose the chance to bid on or win contracts from the DoD if compliance levels aren’t met. Non-compliance from prime contractors or subcontractors will also mean the termination of government contracts and potential charges of fraud and breach of contract.

CMMC Has Added Practices and Domains 

It’s important to note that the biggest changes in standards and processes occur at the highest levels of CMMC. However, CMMC adds requirements not found in NIST starting at level 2. The added practices in levels 2 and 3 are designed to go beyond the protection of CUI to help DoD contractors implement a more well-rounded security system. The addition of these practices (7 on Level 2 and 13 on Level 3) work to force organizations to implement a system that advances cybersecurity programs, increases awareness to identify and mitigate risks, enhances protection against common threats to the DIB like phishing, ransomware, and malware.

At Level 4, 15 practices that aren’t derived from NIST enter the picture. These new practices are heavily focused on counteracting advanced persistent threats (APTs). Level 4 also adds requirements to focus on the review of the implementation and management of all cybersecurity practices and enact corrective actions when issues arise. Level 5 adds another 15 practices that build off the actions taken in Level 4 to continue the fight against APTs with the ongoing evolvement of cybersecurity standards.

The CMMC also increases the number of domains from 14 to 17 through the addition of domains for asset management, recovery, and situational awareness. By subdividing these categories, CMMC makes it easier for contractors to understand exactly what standards to implement and why.

CMMC Adds Process Maturity 

While NIST concentrated largely on the application of controls and processes, CMMC adds process maturity requirements at Level 2. Instead of simply following a checklist of requirements for cybersecurity, organizations are required to ingrain the processes into the way work is carried out. To go beyond Level 2 compliance, an organization must create a policy that describes the roles and events that ensure the standards of each level are carried out. As each level builds off the levels before it, additional documents must be created, or the original document updated to reflect the changes. 

CMMC Addresses Overall Cybersecurity 

NIST concentrates on important aspects of domains representing security areas, access control, personnel security, auditing practices. CMMC uses these standards and includes additional practices to address overall cybersecurity tactics needed to mitigate APTs. These processes create practices to address situational awareness, cyber threat intelligence, and threat hunting. More advanced CMMC levels go a step further to address the need for a system that evolves with threats, identifies security problems, and provides real-time solutions to thwart threat actors before they access important information. 

If I’m CMMC Compliant, am I NIST Compliant?

No. While the standards in NIST SP 800-171 are largely designed to protect CUI, there are additional NFO controls that must be observed to achieve total compliance with NIST SP 800-171. In appendix E of NIST 800-171, you’ll find an additional 63 NFO controls that must be implemented. These NFO standards aren’t part of CMMC compliance. Depending solely on CMMC compliance makes it easy to forget the additional NFO controls already required by NIST and can lull organizations into a false sense of security. Furthermore, claiming NIST compliance without the implementation of NFO controls can lead to a breach of contract lawsuit.

If I’m NIST Compliant, am I CMMC Compliant?

Even if you’re in complete compliance with the 110 standards outlined by NIST 800-171, you can only achieve CMMC compliance on Level 1. While NIST compliance covers most of the practices required for Level 3 compliance, there are 20 additional practices in Levels 2 and 3 that aren’t found in NIST 800-171 guidelines. CMMC Level 1 is the only level that depends solely on practices derived from NIST. Still, contractors who are already using the 110 standards outlined in NIST 800-171 have already completed many of the objectives required for CMMC levels 1,2, and 3. 

How CMMC Enhances the NIST Standards for Simpler Implementation and More Robust Security

Since CMMC Levels 1 and 2 require fewer standards than NIST, it would seem impossible to achieve better security standards through CMMC. However, several features of the CMMC framework make it a more thorough solution for everyone involved. Since complete NIST compliance proved difficult for many contractors, CMMC works to address those difficulties. It also adds processes necessary to provide cybersecurity measures required to keep up with the increase of sophisticated threats targeting a variety of industries and government sectors. 

Levels Provide Easier Accessibility 

The levels of CMMC work in a variety of ways to make NIST security standards easier to accomplish. Since many research projects and lower-level DoD contracts don’t require the full implementation of all 110 NIST standards, organizations can concentrate on the requirements outlined in Level 1. Additionally, subcontractors won’t be required to have the same level of CMMC as the prime contractors they work for. Instead, subcontractors can achieve compliance for the level required for the data they handle directly. 

CMMC levels even have some benefits for contractors that must reach the highest levels of compliance. First, by separating the exhaustive list of NIST standards and DFARS requirements into subcategories defined by levels, the process is easier to navigate. Additionally, each level is designed to build off the levels beneath it for a complete ladder to full compliance. 

The Elimination of Self Compliance 

While this seems like a major drawback for many contractors and subcontractors, specific requirements for compliance take all the guesswork out of compliance. Organizations will have all the details required to reach their target level of compliance and certification lasts for three years. While there are always dangers of new cyber threats, knowing you have the right safety standards in place will help you avoid risks and the consequences of non-compliance. 

The Addition of New Cybersecurity Standards 

As cybersecurity threats continue to increase, DoD contractors are more likely to become targets for malicious hackers. The addition of processes to address cybersecurity threats and increase awareness of the ways these attacks are carried out helps contractors naturally build a more robust security system. While these improved security systems help the companies who use them, they also help the DoD maintain the essential cybersecurity needed to avoid dangerous attacks that could potentially affect the entire country. Furthermore, it’s anticipated that other government agencies will adopt CMMC in the future, creating a familiar framework that helps eliminate the escalating threats to government networks. 

A More Defined Structure 

While NIST alone provides many important standards for the framework of a solid cybersecurity solution, CMMC provides instructions to put those standards in place. Besides breaking down the NIST standards into manageable sections, CMMC provides actionable steps to accomplish results. When facing the complete compliance standards of NIST 800-171, contractors could create policies that cover major NIST standards and complicated processes while eliminating simple beginning steps that leave them vulnerable to backdoor attacks. CMMC levels are designed to provide a starting point for basic cyber hygiene and the stepping stones to gradually build a complete cybersecurity program fit to meet the standards of the U.S. military. 

The purpose of CMMC isn’t to eliminate NIST standards or double the requirements for DoD contractors and subcontractors. Instead, the programs work together to provide a comprehensive way to meet the requirements outlined by DFARS and provide protection for sensitive government information. While the introduction of CMMC has created some confusion and a lot of worries, it’s expected that the implementation will go more smoothly and with a bigger success rate than NIST. If you’re facing the looming requirements of CMMC compliance and need some guidance to implement a plan, contact the cybersecurity experts at BitLyft today. 

Our team assists companies and organizations in every industry to reach compliance standards and create a cybersecurity plan designed to provide the protection you need to prepare for growing cyber threats today and in the future.

The Complete Guide to Cybersecurity Logging and Monitoring

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

manufacturing company
Cybersecurity in Manufacturing: Top Cyber Threats For Manufacturers
Cybersecurity is making headlines in many industries regularly. Last year's high-profile SolarWinds attack and the recent Colonial Pipeline hack have government officials scrambling to implement new...
University CMMC requirements
CMMC for Higher Education: Guidelines and How to Prepare
New CMMC guidelines are already affecting some contractors and subcontractors who do business with the U.S. Department of Defense (DoD). However, many other organizations will be subject to the...
CMMC Level
How to Achieve Your Target CMMC Level
Considering the implications for damage due to a breach, CMMC certification is a necessary process that likely should have been implemented decades ago. With more than 300,000 companies and...