Evolution of NIST 800–171, CMMC and Cybersecurity DFARS Clauses

The landscape of cybersecurity regulations in the United States has undergone a significant transformation over the years, reflecting the ever-evolving nature of cyber threats and the need to protect sensitive government and industry data. The journey of this evolution can be traced through three key milestones: NIST 800-171, Cybersecurity Maturity Model Certification (CMMC), and the Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These regulatory requirements represent a dynamic response to the growing threats in the digital realm and the necessity for heightened cybersecurity standards in the defense and federal contracting sectors. Understanding the historical changes in these regulations is crucial in comprehending the current state of cybersecurity requirements and their impact on organizations engaged in government contracts and the handling of sensitive data.

1: Understanding NIST 800-171

The National Institute for Standards and Technology (NIST) is a US Government agency that helps other federal departments manage their risks and is well-known for developing cybersecurity standards, frameworks, and best practices with guidance on how to prevent, detect and respond to cyber incidents. Their collection of best practices and guidelines drive the cybersecurity of public and private organizations and play a huge part in protecting national security. Notably, NIST has developed a number of special publications developed especially for federal agencies to regulate the cybersecurity infrastructure of third parties or contractors with whom they work.

Developed following Federal Information Security Management Act (FISMA’s) enactment in 2003, NIST published 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) to protect Controlled Unclassified Information (CUI) from cybersecurity threats. FISMA is a US federal law passed in 2002 that defines a comprehensive framework to protect government information against various security risks.   While FISMA primarily focuses on federal information systems, NIST 800-171 is geared towards protecting CUI in non-federal systems, such as those belonging to contractors, universities, and other entities that work with the U.S. government.

NIST 800-171 was developed to provide guidance to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the original cybersecurity requirements from the DoD.  

2: NIST 800-171 Regulation Revision Status

NIST SP 800-171 is currently going through a major revision.  NIST SP 800-171, Revision 3 (Final Public Draft) and SP 800-171A, Revision 1 (Initial Public Draft) were released on November 9, 2023.  

Why should we keep informed on these revisions?  Some of these changes will cost DIB contractors (no matter the company size) money as evidenced with the imminent CMMC regulation where non-compliance can lead to not being able to bid and win government contracts.

Highlight of changes:

NIST SP 800-171 r3 (Protecting Controlled Unclassified Information in Non-federal Systems and Organizations)

• Controls decrease from 110 to 95
• Families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations decrease from 17 to 14
• Reduce the number of organization-defined parameters (ODPs)
• Reevaluate the tailoring categories and tailoring decisions
• Restructure and streamline the discussion sections
• Withdrawn  controls and families were incorporated into other remaining requirements

More information can be found at https://csrc.nist.gov/pubs/sp/800/171/r3/fpd

NIST SP 800-171A rev3 (Assessing Security Requirements for Controlled Unclassified Information) 

• Determination Statements increase from 320 to 445
• Restructured the assessment procedure syntax to align with NIST SP 800-53A
• The addition of a references section to provide source assessment procedures from NIST SP 800-53A
• A one-time change to the publication version number (skipping “Revision 2”) to align with NIST SP 800-171r3

More information can be found at https://csrc.nist.gov/pubs/sp/800/171/a/r3/ipd

The public comment period for both documents is open now through January 12, 2024.

3: Introduction to Cybersecurity Maturity Model Certification (CMMC) 

Due to lack of certification, the DoD found that contractors were claiming to uphold all of the NIST 800-171 standards but in reality, they were not. Therefore, the DoD decided that it was necessary to develop a certification process to ensure that contractors and subcontractors in the defense industrial base (DIB) were compliant with a basic set of cybersecurity controls and CMMC was born.  CMMC is in the regulatory review process and currently on its 2nd revision (CMMC 2.0).  This revision has condensed its maturity levels from five to three.

• Level 1 Foundational
  • 17 practices from NIST 800-171
  • No third-party assessment is required.  Annual self-assessment and upload score to SPRS
• Level 2 Advanced
  • 110 practices - aligned with NIST 800-171
  • Critical CUI handlers will be assessed by a C3PAO three times per year
  • Handlers of non-critical CUI will only need a self-assessment like level 1
• Level 3 Expert
  • Over 110+ practices based on NIST 800-172
  • Government-led assessment three times per year

While the Government continues to finalize the new rules and certifications, contractors and subcontractors are encouraged to boost their cybersecurity postures in preparation for the final ruling and implementation.

4: Status of CMMC 2.0

Currently, CMMC 2.0 is under review by The Office of Information and Regulatory Affairs (OIRA) is a statutory part of the Office of Management and Budget (OMB) within the Executive Office of the President as part of the normal rulemaking process.  They had 90 days to review however now under a one-time 30-day extension.  The 30-day extension ends on November 17, 2023.  By this date, OIRA must decide whether to send the rule back for revisions or forward for publication in the Federal Register.  Once published in the Federal Register there will be a 60-day comment period and that takes us to January 2024.  From this point it the rules can take one of two paths:

1. Interim Final Rule (very rarely used)
   1. If the CMMC rule is designated an interim final rule it would be effective in the first quarter of 2024
2. Proposed Rule
   1. If the CMMC rule is designated as a Proposed Rule it can take about a year for that rule to be published as a final rule therefore it would likely be effective in the first quarter of 2025

5: DFARS Cybersecurity Governing Clauses

NIST SP 800-171 and CMMC requirements will be issued to government contractors through Defense Federal Acquisition Regulation (DFARS) clauses inserted into specific solicitations:

Existing Clauses:

• DFARS 252.204-7012- specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST 800-171 cyber incident reporting obligations, and other considerations for cloud service providers. All DoD contractors are required to comply with DFARS requirements for adequate security.
• DFARS 252.204-7019 - Notice of NIST SP 800-171 DoD Assessment Requirements mandate that the DIB contractor undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).

Three newer clauses (as part of the DFARS Interim Rule)  expand upon the initial DFARS Clause 252.204-7012

• DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
• DFARS 252.204-7021 - Cybersecurity Maturity Model Certification (CMMC) Requirements stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certification at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.
  
  

Summary:

Cybersecurity control regulations have evolved significantly, and we are on the verge of witnessing long-awaited historical transformations to better safeguard our national defense. It is imperative for DIB contractors to acquaint themselves with the forthcoming CMMC requirements and promptly take steps to implement the necessary security controls, ensuring regulatory compliance,  successful control assessment and continued government contract eligibility.

Ingalls Information Security offers CMMC expert consulting services. Contact our DoD Services team for information.