Frequently Asked Questions
CMMC & NIST 800-171A Compliance
What is NIST 800-171A?
-
NIST 800-171A is the official "Assessment Guide" that supports NIST SP 800-171. It provides detailed procedures and methods to assess an organization's implementation of security requirements for protecting Controlled Unclassified Information (CUI).
What is CMMC?
-
CMMC (Cybersecurity Maturity Model Certification) is a unified cybersecurity standard for Department of Defense (DoD) contractors. It verifies the implementation of cybersecurity practices across five maturity levels. CMMC 2.0 is closely aligned with NIST 800-171.
How are NIST 800-171A and CMMC related?
-
CMMC 2.0 Level 2 certification requires contractors to fully implement the 110 security controls outlined in NIST 800-171. NIST 800-171A is used as the framework for assessing whether these controls are properly implemented.
What are the key components of NIST 800-171A?
-
NIST 800-171A is structured around:
-
• 110 Security Requirements grouped into 14 families (e.g., Access Control, Incident Response).
• Assessment Objectives for each requirement.
• Methods of assessment (examine, interview, test).
- • 110 Security Requirements grouped into 14 families (e.g., Access Control, Incident Response). • Assessment Objectives for each requirement. • Methods of assessment (examine, interview, test).
What is Controlled Unclassified Information (CUI)?
-
CUI is information that requires safeguarding or dissemination controls but is not classified under Executive Order 13526 or the Atomic Energy Act. It’s data that must be protected to enhance national security.
Do all contractors need to comply with NIST 800-171A?
-
Yes, any organization that handles CUI on behalf of the DoD must implement NIST 800-171 requirements and, depending on contract requirements, may need to formally assess and certify compliance via CMMC.
What is the difference between a NIST 800-171 Self-Assessment and a CMMC Certification?
-
• NIST 800-171 Self-Assessment: An internal review by the organization, often submitted via the Supplier Performance Risk System (SPRS).
• CMMC Certification: Requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for Level 2 under CMMC 2.0.
What is a System Security Plan (SSP)?
-
An SSP is a document describing how an organization meets the NIST 800-171 security requirements. It outlines system boundaries, operational environment, and how controls are implemented and maintained.
What are POA&Ms?
-
Plan of Actions and Milestones (POA&Ms) are documents identifying weaknesses, planned corrective actions, timelines, and resources needed to address any gaps in NIST 800-171 compliance.
How is NIST 800-171A assessed?
-
Each control is evaluated using:
-
• Examine : Review documentation and system configurations.
• Interview: Speak with personnel to verify policies and procedures.
• Test: Conduct hands-on tests to ensure systems function as required.
- • Examine : Review documentation and system configurations. • Interview: Speak with personnel to verify policies and procedures. • Test: Conduct hands-on tests to ensure systems function as required.
What are the penalties for non-compliance?
-
Non-compliance can lead to:
-
• Contract termination.
• Loss of future contracting opportunities.
• Legal and financial liabilities under False Claims Act if cybersecurity requirements are falsely attested.
- • Contract termination. • Loss of future contracting opportunities. • Legal and financial liabilities under False Claims Act if cybersecurity requirements are falsely attested.