A Closer Look At CMMC & NIST 800-171 Preparedness

Brian Berger, President of Cytellix Corporation • March 11, 2021

We all know that regulated Federal Government information is safeguarded to prevent cyber-attacks from the adversaries of the United States, but did you know that any and all sensitive data, government-owned or not, must be protected by adhering to a specific set of rules? Controlled Unclassified Information (CUI) is information that is sensitive and relevant to the national security interests of the United States, but not under strict Federal regulation. According to the National Archives and Records Administration, the Executive Agent is responsible for creating and implementing unclassified data standards and overseeing compliance. CUI is considered any potentially sensitive, unclassified data that require controls in place to define its proper safeguarding or dissemination. What is NIST 800-171, and how can you meet the requirements? Let's take a look!


What is NIST 800-171?

NIST is the acronym for National Institute of Standards and Technology, and 800-171 is a specific publication. NIST 800-171 governs Controlled Unclassified Information in Non-Federal Information Systems. Essentially, 800-171 is a list of standards that must be met to adequately safeguard and distribute personal or sensitive information that is not officially classified. NIST 800-171 was first created in 2003, shortly after the Federal Information Security Management Act was passed. Following a series of serious cyberattacks, it became clear that cybersecurity needed to be ramped up. NIST regulations have changed slightly since the beginning, particularly for certain government agencies like NASA, the Department of Defense (DoD), and the General Services Administration (GSA). Commercial supply chain organizations are also required to adhere to these new guidelines.

  • All contractors awarded contracts to provide products or services that require the use of Controlled Unclassified Information (CUI) is ordered to comply with DFARS 252.204-7012
  • Over 100 controls must now be addressed, as well as the cybersecurity posture of the supplier’s network or system across the 14 security domains defined in NIST SP 800-171
  • The obligation of proof is now placed on the supplier and their entire supply chain.
  • Failure to comply will result in a Corrective Action Report (CAR), loss of contract, or potential legal actions.

NIST 800-171 was designed to get all companies on the same set of guidelines for cybersecurity. Prior to the publication, each company could make its own rules. When everyone operates differently, there is no uniformity, and each company will have weak points that are easy to attack. By regulating the process, the government is now confident that sensitive data is under lock and key. 



What is CMMC?

The Cybersecurity Maturity Model Certification is part two of NIST 800-171. CMMC is a program initiated by the United States Department of Defense (DoD) in order to measure their defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity.  The guidelines set forward in NIST 800-171 are the baseline for CMMC. Using CMMC, it can easily be determined precisely how prepared a company is. There are five levels in total, with Level 1 being baseline NIST requirements and Level 5 being highly advanced with custom processes and cyber technology that is constantly working. As of September 2020, the Department of Defense (DoD) began requesting information that contains CMMC specifications. It is clear that they have a timeline for getting the CMMC into all contracts by 2026. At the moment, CMMC applies to Department of Defense prime contractors and subcontractors. The ultimate goal is to have it apply to each and every contract that handles any sensitive information.


How Can Cytellix Help?

It can be daunting for companies and contractors to figure out how compliant they are to these regulations. Cytellix works with several government agencies, including the Department of Defense (DoD), so our team knows the guidelines like the back of our hands. We offer a collection of services that will check off the necessary boxes. We create and implement cybersecurity solutions that will help you meet the expectations of these relatively-new guidelines. We'll check out your current situation, find your weak spots, and propose solutions to build up your security systems. The more cybersecurity you can implement now, the more prepared you will be as the DoD cracks down on NIST 800-171 now and CMMC in the near future. It's far easier to be prepared early than to play catch up when the new contracts come out. By working with our team, you will have a personalized package that can grow and change as you do. It's expected for more versions of CMMC to be released prior to its complete implementation, and Cytellix will be there to make sure you stay on track. Cytellix is available to provide a detailed security services assessment. Our goal is to ensure you are fully aware of the steps required to remain compliant, cyber prepared for certification, and provide a plan of action that will minimize time or cost disruption. 


The concept of NIST 800-171 and CMMC can be a bit challenging to grasp. The key takeaway is that the Department of Defense (DoD) is putting regulations in place to strengthen security surrounding sensitive but unclassified data. This will protect contractors, companies, and consumers from cyber-attack, and it will keep information away from hackers inside and outside of the US. Preparing for CMMC can be tricky, but Cytellix is here to help. Learn more about our NIST 800-171/CMMC services at https://bsyl.ink/NIST800-171. If you're ready to increase your cybersecurity and become more compliant with these guidelines, call us at (949) 215-8889. We look forward to hearing from you!


Cytellix has expert capabilities in cybersecurity technology, risk management frameworks (RMF, NIST, CMMC, GDPR, FFIEC, ISO) and provides a complete visibility platform that supports: DoD customers, DIB Customers, DoD Supply Chain, and other highly regulated industries (Finance, Automotive, Utilities, State and Local Government).  Our technology stack includes SIEM as Service, 24x7 SOC, Vulnerability Management, Real-time continuous cyber monitoring, Firewall Management, and threat hunting and threat correlation.


small business cybersecurity

MSP SPOTLIGHT: Go Beyond Baseline Security.

By Walt Czerminski August 30, 2023
Explore the challenges MSPs face in providing holistic cybersecurity support to their SMB clients and discuss how a programmatic-optimized approach can help bridge the gap, ensuring enterprise-level protection without breaking the bank for SMBs, while adding revenue opportunities for MSPs.

The Clock is Ticking for CMMC 2.0: Here’s Everything You Need to Know – START NOW

By Brian Berger August 23, 2023
The Department of Defense (DoD) has formally presented the CMMC regulation for official evaluation, marking the start of its journey toward formal announcement. Every regulation proposed by the executive branch, including this one, undergoes scrutiny by OIRA, a division of the Office of Management and Budget (OMB). The significance of this step is that the previously mentioned "delays" in the CMMC process were due to the time taken for the DoD to forward the rule to OIRA. With this action now taken, the subsequent stages of the rulemaking procedure are underway. Nevertheless, due to the intricate nature of federal rulemaking, several more stages need to be navigated before the CMMC becomes a part of contracts. The following scenarios should be considered for preparation for compliance and certification for the Defense Industrial Base (DIB). Scenario 1: Proposed Rule Submission to OIRA: The Department of Defense (DoD) has officially submitted the CMMC rule for regulatory review to the Office of Information and Regulatory Affairs (OIRA). Review and Publication: After OIRA's review, which takes an average of 66 business days, the CMMC rule is expected to be published in late October 2023. Public Comment Period: A standard 60-day public comment period will follow, ending in December 2023. Finalization: The CMMC rule will be published as a "proposed rule", which means it will only become effective after the agency responds to public comments in a final rule. Based on historical data, the average time for DoD proposed rules to be published as final rules is 333 business days. This means the CMMC final rule is expected between February and April 2025 . Phased Roll-Out: The DoD plans a 3-year phased roll-out for CMMC contract clauses. Assuming the final rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028. Scenario 2: Interim Final Rule Immediate Effectiveness : If the CMMC rule is published as an "interim final rule", it will be effective before the agency responds to public comments . This means the rule would be in effect and appear in contracts in Q1 2024 . Rarity of Interim Final Rules: Such rules are rare and bypass the usual democratic process of "notice and comment" rulemaking. They are typically granted in urgent situations, like the need to enhance national security. So when should you start preparing? Before we start with the background and changes, let’s talk about the "Big Elephant” in the room. Clearly, the updated compliance and certification process developed by the DoD and the non-profit organization liaisons has been long overdue with a lot of anticipated deadlines that never materialized. And with the latest announcements it does seem to be mildly reminiscent of the movie comedy and colloquial meaning of Groundhog Day. Since the Library of Congress selected the film for preservation in the National Film Registry I found humor in relativity, not cynicism. Opinion: This is different and the information we have in the DoD supply chain must be protected from our adversaries. This is a serious issue and needs clear and precise guidelines as the supply chain will not spend money on the protection of the information that protects national security unless they must as it is deemed as a complex undertaking. That’s an unfortunate reality. We have seen the start and restart of the cyber programs for DoD for the past 5-years, what makes this different? The implementation of the CMMC rule in contracts will be phased in over a period of 3 years, with all relevant DoD Defense Industrial Base (DIB) contracts containing CMMC by 2028. For a company with 50-100 employees operating in the DoD supply chain, it takes an average of 12-18 months to prepare for assessment and audit for eventual certification, with certification being the ultimate requirement for compliance. Therefore, the time is now to start the process if you plan to hold government contracts in 2024/2025. There are also varied flow down requirements that need to also be taken into consideration. Understanding Plan of Action and Milestones (POAM) There is now the ability to present interim status vs 100% compliance as we have with the current DFARS and NIST requirements. These interim reports can be handled in the traditional manner by presenting a Plan of Action and Milestones (POAM) that have a less than 180-day completion date for allowed baseline gaps. Unallowed gaps will have a “No POAM” designation and need to be implemented. If you have any doubts, work with a highly skilled 3 rd party who has expertise in these standards and a track record of enabling comprehensive successful standards-based cyber programs. The information presented by the suppliers in POAM’s or claiming 100% compliance will be evaluated and can and will likely trigger audits if certain high-level cyber controls are not met or the 100% compliance score creates suspicion of a false claim. Be careful to present accurate and validated information. So, what does this all mean? You must be compliant with DFARS clause 252.204.7012 and NIST 800-171 today. This is a requirement of your current contracts, and the False Claims Act applies to all cyber compliance representations. If you are not compliant, you could be subject to civil penalties and criminal charges. You need to start preparing for CMMC 2.0 today. The deadline for the final rule is 18 months from now, and it will take an average company in the DoD supply chain 12-18 months to become assessment ready. Waiting is not an option. Waiting is a bad idea. Why you ask? It is very clear that most suppliers and Small and Medium Businesses are not cyber ready and nowhere near compliant with any cyber framework. The timeframe for a typical business to understand, develop and implement full compliance is more than 1-year assuming they have the skills and personnel to complete the objectives. CMMC 2.0 clearly aligns with DFARS and NIST, so it is the best way to protect your organization's sensitive data. Don't delay, start preparing today! *If you have any questions, please reach out to our experts – [email protected]