NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
Since November 2021, the Cybersecurity Maturity Model Certification (CMMC) has been a hot topic among contactors, suppliers, and cybersecurity experts. Finally, after seven years of rulemaking, CMMC has been published and will begin rolling out on December 16, 2024. As an authorized C3PAO, Smithers will be able to conduct third-party CMMC assessments as soon as CMMC goes into effect.
The Relationship Between DFARS, NIST, and CMMC
In 2016, the Defense Federal Acquisition Regulation Supplement (DFARS) was updated. The update required all DoD contractors and their sub-contractors to self-assess against meeting the cybersecurity requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In 2019, DFARS was updated again. This update included the requirement for the Cybersecurity Maturity Model Certification supported by a tri-annual independent assessment. Department of Defense (DoD) contractors and their sub-contractors handling controlled unclassified information (CUI) were given five years to implement these changes
Also in 2019, the CMMC-Accreditation Body (CyberAB) was established as a joint venture between Carnegie Mellon University, The Johns Hopkins University Applied, Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract. The program is currently overseen by the DOD CIO office. CMMC-AB released the first draft of CMMC 1.0 in that same year on the credentials required for independent assessors and how to conduct the assessments for DoD contractors.
In November 2021, the DoD paused CMMC 1.0 based on public comments. It began the process of evaluating and and updating the DFARS rules for the independent assessments with the release of CMMC 2.0. CMMC 2.0 covered several critical changes, including the removal of the CMMC maturity processes, alignment to the NIST SP 800-171 security controls for the body of the assessment, and the reduction of CMMC levels from five to three. Lastly, the governing body was renamed Cyber-AB to reduce confusion between the CMMC requirements of the DoD and the Cyber-AB’s role as certifying organizations and auditors to conduct CMMC assessments.
Keep in mind that none of these events impact the existing requirement under DFARS 252.204-7012, requiring contractors and their sub-contractors handling CUI to ensure they are compliant with the 110 controls and 320 objective statements of the NIST SP 800-171.
New! NIST 800-171 assessment checklist!
Download our CMMC for Manufacturers FAQs
- Certified Companies Information
- ISO 27001
- CMMC
- What is NIST SP 800-171
- Integrated Management System Audit and Certification Services
- Smithers Quality Assessments Client Portal: Beyond Audit Management Software
- Tailored Account Services
- AS9100 Audit & Certification Services
- AS9110 Certification Services
- AS9120 Certification Services
- IATF 16949:2016 Audit Certification Services
- ISO 9001:2015
- ISO 13485:2016 Certification System
- ISO 14001 Certification Services
- ISO 45001 Certification
- SN 9001:2016 Audit Certification
- Internal Auditing Services
- Supplier Solutions
- Certified Companies Information
- File a Complaint or Appeal
Follow us on LinkedIn
What should you do right now?
In November 2022, Washington Technology published an interview with Robert Metzger, one of the original architects of the 2019 CMMC plan. He was asked, “what should contractors do now with all of the confusion surrounding CMMC?”Metzger suggests contractors begin assessing their cybersecurity health as it exists now. Whether or not your focus is on a specific certification, cyber-attacks are a reality, so it is important to protect the data of your customers as well as your own. It is a good time to start working on your NIST 800-171 rev 2 compliance.
The world of cybersecurity and the associated certifications is complex and constantly evolving. The CMMC eventual launch and the new NIST SP 800-171r3, both expected in 2024, are such examples.
Smithers, a C3PAO candidate, will soon be able to offer you a letter of conformance to NIST 800-171r2, which will be updated to a CMMC certificate, when it is officially released (requires the client to be under a Smithers continuous assessment program with annual surveillance assessments). Smithers is ready to help navigate these requirements and address your organization specific questions.
If you have questions about your specific organization, please contact us today.