Understanding CMMC, DFARS 7012, and NIST 800-171 / 171A

employee-working-on-CMMC-compliance-laptop

The Defense Industrial Base (DIB), the supply chain that supports the U.S. Department of Defense (DoD), is often the target of cyberattacks. In an effort to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) handled by its contractors, the DoD created the Cybersecurity Maturity Model Certification (CMMC), an initiative designed to improve DIB cybersecurity. With the push to become CMMC compliant, small businesses can be overwhelmed looking through the long and complex clauses found in their contracts. It can be a lot to take in! In this post, we will help those pursuing CMMC better understand which clauses, policies, and documents they need to be aware of, their purpose, and what tools are available to them. We will also help identify other relevant policies and documents to facilitate the compliance process.   

The topics discussed in this post: 

DFARS Clause 252.204-7012

DFARS 252.204-7012 (“DFARS 7012” for short), a clause that may appear in your contract, states that DoD contractors handling CUI must implement all of the 110 security controls laid out in NIST 800-171 by the deadline of December 31st, 2017. Obviously, this date has passed, and many (including us) are still working diligently to implement the controls. However, when DFARS 7012 began appearing in contracts, there was no method in place to ensure that organizations had correctly implemented the necessary controls and, as a result, this goal was not met. To address the lack of accountability, CMMC was born.  

Note the difference between DFARS 7012 and the FAR 52.204-21 clause (what we call “the FAR 17” — see our CMMC Level 1 and FAR 52.204-21 blog post). They address different information; the FAR 17 addresses FCI whereas DFARS 7012 addresses CUI, which is a subset of FCI. Although both deal with safeguarding DoD information, DFARS 7012 has significantly more requirements compared to the FAR 17. From a cybersecurity perspective, this makes sense, given that the risk is greater if CUI is lost vs. FCI, and therefore additional cybersecurity controls are needed to lessen this risk.  

CUI can include a variety of items: drawings, technical documentation, source code, specifications, data sets, and manuals. Contractors can refer to the National Archive’s (NARA) CUI Registry to see the different categories of CUI. If CUI gets into the wrong hands, it could be used to reproduce DoD innovations which would significantly reduce the competitive defensive advantage the U.S. has worked so hard to achieve. For example, Chinese adversaries were able to compromise private sector IT systems and steal the American F-35 fighter jet design. They created their own version, called the J31, which cost around 90 million dollars less to build, since they didn’t have to pay for the research and design.  In a DSB report of Resilient Military Systems and the Advanced Cyber Threat, we are told that this common theft of DoD and U.S. Industrial base Intellectual property could give adversaries the ability to “employ countermeasures to advanced U.S. military systems, and also shorten a given adversary’s research and development timelines for such countermeasures.” Just like what happened with the F35. The results of stolen information can be devastating. Even if you feel the information handled by your organization couldn’t do this kind of damage, it is important to take the correct safety measures to secure your whole system.  

To protect CUI, DFARS 7012 establishes multiple objectives:  

  1. Implement NIST 800-171 
  2. Build a System Security Plan (SSP) that describes how you have implemented NIST 800-171 
  3. Create a Plan of Action and Milestones (POA&M) that describes where you have not yet implemented NIST 800-171 as well as how and when you plan to meet its requirements. Note that you can be compliant with DFARS 7012 even if you have not yet implemented all 110 controls laid out in NIST 800-171. The POA&M provides some flexibility 
  4. Draw up an incident response plan (IRP, see our template here), be able to report incidents, and plan to preserve images of affected systems as they might be subject to further investigation (see our blog post on this subject for more information)

If these objectives are something you are looking for help with, consider engaging Totem for a Gap Assessment, where we will assess your organization against the DFARS 7012/CMMC/NIST 800-171 requirements and help you build your own SSP, POA&M, IRP, and everything else you may need.  (Did somebody say acronym soup?)

NIST SP 800-171 Revision 2

NIST 800-171 outlines 110 security requirements across 14 families specifically aimed at protecting CUI. For example, Control 3.1.1 prompts contractors to “Limit system access to authorized users, processes acting on behalf of authorized users, and devices.” In this case, organizations are to enact policies and procedures that inventory and limit access to their systems only to authorized users and devices, whether internal or external.  

NIST 800-171 is not itself a law or a regulation; it is the cybersecurity framework required to be implemented by the regulation DFARS 252.204-7012. Additionally, it is not a certification; it is the framework by which those pursuing CMMC Level 2 will be assessed in order to receive a certification.

To most small business contractors, NIST 800-171 is overwhelming. The controls can seem intense, the language can feel too technical to understand, and there may seem to be too many assignments to fulfill. Many of these small businesses have no idea how to start approaching difficult tasks like encryption, access control, auditing, policy writing, etc. We feel your pain, and this is why Totem Technologies was created. The Totem Workshop covers all the documents mentioned here and can be a great resource for those looking to educate themselves and get started on their CMMC compliance journey.    

NIST SP 800-171A

The NIST SP 800-171A accompanies NIST SP 800-171 and gives contractors further information on how to complete the tasks outlined in NIST 800-171. It includes a lot more than just the basic 110 security controls in NIST 800-171; it gives each of the 110 controls their own “steps” that need to be met for the overarching control to be considered met. We refer to these steps as “assessment objectives”; the total of which is 320. Together, these two documents provide the standard for organizations to protect CUI, and they determine what must be done in order to pass a CMMC assessment. 

Using the control example of 3.1.1 given in the previous section, in order to meet this control, organizations must justify and provide objective evidence for how they have achieved these six assessment objectives:  

  • 3.1.1[a] authorized users are identified.  
  • 3.1.1[b] processes acting on behalf of authorized users are identified.  
  • 3.1.1[c] devices (and other systems) authorized to connect to the system are identified.  
  • 3.1.1[d] system access is limited to authorizes users.   
  • 3.1.1[e] system access is limited to processes acting on behalf of authorized users.  
  • 3.1.1[f] system access is limited to authorized devices (including other systems).  

The Totem Tool is a great resource that has all of these controls and associated objectives built in, and it even helps you quickly build your SSP, POA&M, and IRP. Let us know if you’re interested in a free trial of the tool.   

totem CMMC compliance management tool
NIST 800-171A Assessment Objectives in Totem™

Cybersecurity Maturity Model Certification (CMMC)

As we have covered up to this point, CMMC is how the DoD is holding its industrial base accountable to implementing the appropriate cybersecurity requirements. If you are a DoD contractor, you need to begin preparing to receive a CMMC certification. There are three levels to CMMC compliance; the level in which you should target is represented on the graphic below:
FCI vs. CUI table comparison

CMMC Level 3 is not included in the graphic, because it is primarily reserved for large prime contractors and those working on more sensitive weapons systems. Additionally, the framework behind CMMC Level 3 is still being finalized. The vast majority of contractors and subcontractors, especially small businesses, will be targeting either Level 1 or Level 2.

So, if you only handle FCI, you are to target Level 1. If you handle CUI, you are to target Level 2. Note that the jump from Level 1 to Level 2 is significant: instead of 17 safeguards, there are 110. As we can personally attest, it moves from a few thousand-dollar problem to tens of thousands of dollars every year, not to mention all the extra work required. It is important that your organization is confident that it can sustain the costs and work involved in handling CUI and the cybersecurity requirements that come with it. If you don’t know which level to target or where to begin, we cover this process extensively in our CMMC Workshop.  

The first step in receiving a Level 2 CMMC certification is to undergo a self-assessment, followed by drawing up the compliance plans, including your SSP, POA&M, and IRP. It takes most Defense Industrial Base (DIB) small and medium-sized businesses 1 to 12 weeks to write the policies that are DFARS 7012 compliant and 1+ years to implement a cybersecurity program that is CMMC conformant. The earliest we could see the CMMC clause in contracts is this summer, and as late as the end of 2024. By October 2025 the DoD will require all contractors to be CMMC certified. Let’s be honest, achieving cybersecurity compliance is not a simple feat. Although this process can seem long and overwhelming, we are here to help.  

How DFARS 7012, NIST SP 800-171 and 171A, CMMC work together

To recap, DFARS 252.204-7012 is the clause that mandates the protection of Controlled Unclassified Information. It requires DoD contractors that handle CUI to implement NIST 800-171, a robust standard of 110 cybersecurity safeguards. All 110 controls have corresponding “objectives” that must be met; these are identified in NIST 800-171A. CMMC is how we will be held accountable to ensure the implementation of NIST 800-171/800-171A, where all DoD contractors will need to attain a certification depending on the type of information we handle.  

How Totem helps small businesses achieve CMMC compliance

In this post, we have summarized DFARS 7012, NIST SP 800-171, NIST SP 800-171A and CMMC. Instead of small businesses feeling overwhelmed and considering leaving the DIB because of the lack of resources, high costs and confusion, Totem’s mission is to empower and aid these businesses in their pursuit of compliance. We have several ways to help: if you are looking for more information on the requirements within DFARS 7012, CMMC, or NIST 800-171, the Totem Workshop is a great place to get started. Or, browse our Free Tools, where we provide a plethora of helpful tools and templates. If you are looking for more hands-on assistance, consider engaging Totem in a Gap Assessment. Should you have any questions about this blog, CMMC, or cybersecurity in general, please drop us a line!

Good luck!

-Nina

Graphic depicting Totem's roadmap to CMMC compliance

Download our CMMC Compliance Roadmap!

Like this post? Share it!

Get notified when new blogs are published!