CMMC and DFARS are cybersecurity terms that you need to know, but what do they mean, and what’s the relationship between them? For that matter, what does NIST SP 800-171 have to do with either of them? Whether you’re a family-owned machine shop or a Tier 1 supplier, the U.S. Department of Defense (DoD) expects you to protect specific types of information – including controlled unclassified information (CUI). If your company doesn’t meet specific cybersecurity requirements, you could lose your ability to bid on, win, or work on defense-related projects. That’s why understanding CMMC, DFARS, and NIST SP 800-171 is so important for your business.
CMMC and DFARS
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard that’s designed to reduce the exfiltration of CUI from members of the defense industrial base (DIB). CMMC builds upon a clause in the Defense Federal Acquisition Regulation Supplement (DFARS), a publication that defines requirements for doing business with the DoD. This clause, DFARS 252.204-7012, is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”. Covered defense information (CDI) includes unclassified controlled technical information (CTI) or other information as described in the CUI Registry, a government-wide online repository for federal-level guidance regarding CUI policy and practice.
CMMC Rev 1.0 isn’t in effect yet, but Rev 1.0 is scheduled for release in January 2020. For DIB members, it’s important to understand that CMMC adds a verification component to the cybersecurity requirements in DFARS 252.204-7012. CMMC also establishes a model framework with 18 different domains. Each domain covers a key set of cybersecurity capabilities, and these capabilities contain practices and processes that are mapped to five numbered levels. Level 3 involves ensuring that you’ve met all of the requirements in NIST SP 800-171 Rev 1, a special publication (SP) from the National Institute of Standards and Technology (NIST) titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. NIST, which is part of the U.S. Department of Commerce, also manages the Manufacturing Extension Partnership (MEP) network that includes FuzeHub.
NIST SP 800-171 Rev 1
NIST develops information security standards and guidelines such as NIST SP 800-171. However, NIST is a non-regulatory agency, NIST SP 800-171 recommends requirements but does not establish them. It’s an important distinction since NIST SP 800-171 is commonly understood to be a minimum requirement for good cybersecurity practice. DFARS 252.204-7012, which defines requirements, references NIST SP 800-171 and, in DFARS 252.204-7012 (b)(ii)(A), clearly states that “the Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.”
What are the relationships between NIST SP 800-171 Rev 1 and CMMC Rev 1.0? As NIST’s Computer Security Resource Center (CSRC) explains, “NIST is not involved in the design, development, or implementation of the CMMC model of certification.” However, the CSRC also states that “the CMMC utilizes the publicly available security requirements in NIST Special Publication (SP) 800-171.” Just as with DFARS 252.204-7012, CMMC Rev 1.0 references this important cybersecurity standard from NIST.
Help Is Available
Join FuzeHub, New York State’s statewide MEP Center; the Advanced Institute for Manufacturing (AIM); and the Manufacturing and Technology Resource Consortium (MTRC) on Thursday, December 5, 2019 for the Cybersecurity Forum for Manufacturers at Stony Brook University. Cybersecurity assistance is available for qualified NYS manufacturers who are part of the defense supply chain. Eligible manufacturers who attend this event will have the opportunity to win a cyber assessment grant of $5,000. You must be present to win.
Learn more about the Cybersecurity Forum for Manufacturers.