Since the passing of the Defense Acquisition Federal Regulation Supplement (DFARS), many U.S. Department of Defense (DoD) suppliers have already implemented the NIST SP 800-171 (Rev. 1) cybersecurity controls required by the mandate.
However, with the upcoming release of Cybersecurity Maturity Model Certification (CMMC), many DoD contractors are concerned if they are properly prepared for certification with the implementation of NIST 800-171 (Rev. 1), and which CMMC maturity level that most closely resembles. This article aims to clear up some of that confusion and ease DoD supplier concerns.
Please note that the information presented in this article is based on draft version 0.7 of CMMC. We will update this article as the Office of the Under Secretary of Defense for Acquisition & Sustainment releases updated versions of CMMC.
NIST SP 800-171 Rev. 1 Closely Resembles CMMC Level 3
As outlined in the table graphic below, NIST SP 800-171 (Rev. 1) security controls (plus an additional 21 recently added “practices”) should be sufficient to certify contractors up to CMMC Level 3.
Will CMMC Level 3 Be Enough for Your Company?
The DoD has stated that they believe that CMMC Levels 1-3 will sufficiently cover 95% of DoD contract requirements. If level 4 and 5 are required, contractors will need to implement additional controls including NIST SP 800-171 (Rev. B) plus an additional 24 practices to be certified at those levels.
Getting Help
If your company needs help implementing NIST SP 800-171 Rev. 1 controls, or the additional controls in Rev. B, we can help. We have helped over 50 DoD contractors throughout the world navigate the complexities and financial hurdles of the NIST requirements. We have worked closely with our customers to ensure they are compliant with DFARS 252.204-7012 and now we are working with them to achieve the CMMC certification level they need to be competitive in the industry. For more information, please visit our CMMC Readiness Page. If you’d like to speak with someone about preparing for a CMMC audit now, feel free to give us a call at (240) 453-4146 or schedule a CMMC Readiness Consultation now.