NIST AND CMMC PREPARATION, AUDIT & IMPLEMENTATION SERVICES
The path to NIST and CMMC compliance doesn’t have to be long, complicated or expensive. We help deliver the protection and meet the compliance you need in the easiest, most affordable way.
NIST 800-171 specifies that any federal contractor that works with Controlled Unclassified Information (CUI) must follow the policy framework.
CMMC certification will be a requirement to bid on many contracts starting in 2020. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
We can help you with preparation, audit and implementation services for NIST and CMMC.
NIST 800-171 COMPLIANCE
The National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 outlines cybersecurity-related requirements for government contractors. NIST has 14 sections broken down into 110 required controls. Organizations can implement a variety of potential security solutions, either directly or through the use of managed services, to satisfy the requirements.
As of January 1, 2018, government contractors are expected to have implemented the requirements of NIST 800-171. If an audit determines a failure to meet the requirements of NIST 800-171, consequences may include criminal, civil, administrative, or contract penalties – including termination of contracts.
NIST 800-171 AUDIT
Below are the core efforts and deliverables included in the audit:
- Families/Controls for NIST 800-171
- Detail on how you currently meet the family/control set
- Detail on how you do not currently meet the family/control set
- Recommendations and roadmap how to meet the family/control set in each of the following areas:
- Infrastructure
- Software Solution
- Policy
- Procedure
- Other
- Evidence/Samples will be captured as proof of compliance
- Recommendations and roadmap how to meet the family/control set in each of the following areas:
- Deliverables include Executive Summary and final documentation for NIST 800-171
CMMC COMPLIANCE
What is CMMC and how does it relate to NIST 800-171?
CMMC is not the same standard as NIST 800-171. CMMC is a new standard that will take the place of NIST 800-171. CMMC is not entirely derived from NIST 800-171, rather it builds upon it. One notable difference between the two standards is that while NIST 800-171 allows contractors to self-attest compliance, CMMC will require 3rd party certification. NIST 800-171 is still in full effect under the DFARS clause 252.204-7012 and must be maintained.
The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification (CMMC). This standard will replace NIST 800-171 on DoD RFIs and RFPs beginning in mid-2020. The CMMC contains five levels, ranging from basic hygiene to state-of-the-art. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.
CMMC LEVEL 3 AUDIT
Below are the core efforts and deliverables included in the audit:
- Families/Controls for CMMC Level 3
- Map-over of NIST 800-171 control set
- Gap analysis for CMMC control standards
- Recommendations and roadmap how to meet the family/control set in each of the following areas:
- Infrastructure
- Software Solution
- Policy
- Procedure
- Other
- Evidence/Samples will be captured as proof of compliance
- Recommendations and roadmap how to meet the family/control set in each of the following areas:
- Deliverables include an Executive Summary, a complete Gap Analysis report for CMMC Level 3 Audit and a POA&M spreadsheet that includes recommendations for any control that was not adequately met