Introduction to NIST 800-171 cybersecurity framework
The National Institute of Standards and Technologies issued NIST Special publication 800-171 cybersecurity framework to provide guidance, deliver requirements, and set expectations for Federal contractors and suppliers doing business with the Department of Defense (DOD).
NIST 800-171 vs NIST 800-53
NIST 800-171 consists of 171 security controls that cover the range of security topics including physical and logical technical controls, intrusion detection and response, as well as expectations for supporting function such as asset inventory and change management, personnel and process management. For those of you who have worked with the NIST Cybersecurity Framework (NIST CSF) whose basis is NIST 800-53 with requirements for operating Federal systems, you can think of NIST 800-171 as a focused subset of 800-53, developed for suppliers operating non-Federal systems doing work under Federal contracts.
But unlike NIST 800-53, it puts far greater emphasis on data management. It provides prescriptive guidance on how to handle Controlled Unclassified Information (a.k.a. “CUI”). Plainly put, the Fed wants its suppliers to be careful not to divulge any information to anyone without a lawful government purpose, so as to avoid it lending clues to National Security activities, strategies or tactics.
The advent and impact of Cybersecurity Maturity Model Certification (CMMC)
While there is currently no certification for NIST 800-171, the Federal Governement has codified these expectations as the basis for a Federal certification program called the Cybersecurity Maturity Model Certification, or CMMC. This program was unveiled in 2020 and affects no less than 220,000 Federal supplies.
Every company engaged in Federal contracts is subject to it — and not just to the part that seems to cover the service or product it is providing. The approach encompasses ALL capabilities required to perform the contract–including those shared with the commercial arm of the company or those subcontracted out to a third party.
Insights from the Southwest regional CMMC conference
I attended the Southwest Regional CMMC conference in December 2023, and it was an eye-opener. The one day intensive event was focused on implementation. And while the audience was small (approx. 75 people), it brought together the top experts who are focused on interpreting this confusing regulation to support the handful of assessors currently authorized to certify on behalf of the Federal Government.
Speakers included Tommy Baril from the U.S. Government Accountability Office – Defense Capabilities Management Team, Andrew Gentin from the U.S. Department of Defense, Matt Travis from the Cyber Accreditation Body (Cyber AB), and leading private regulation authority Regan Edens (DTC Global) who manages the CMMC Industry Standards Committee.
Navigating the complexities of CMMC regulation and certification
The regulation is currently rife with conflicts, as different arms of the Federal government who have heretofore operated completely independently as contracting authorities are being forced align with the new program. While this is being sorted out, it places every Federal contract in potential jeopardy as companies with current contracts try to determine which of the 3 maturity levels it must achieve to maintain its Federal contracts.
Because of these conflicts, it is almost impossible at this time for companies doing business on government contracts to determine their classification and what requirements they must meet. They need help.
Personal motivation and commitment to Cybersecurity post 9/11
I was motivated to join the Cybersecurity community in 2001 as a direct result of 9/11 and see CMMC as the logical next step by the Federal Government to codify security practices and to push them down to their government suppliers in the name of National Security. Therefore, I’ve decided to join the community that is preparing to meet this challenge in helping companies to improve their security practices, meet their contract obligations, and preserve their government business. Over the next weeks and months, expect I’ll be sharing this journey with you.
For more information on this topic, see: https://dodcio.defense.gov/CMMC/About/
Bar Lockwood is a Principal Security Consultant for Kalles Group, Seattle, WA. She has 25 years of experience in Cybersecurity and helped pioneer the integration of security into software development.