NIST / CMMC

Name: FedBiz Access
Address: 11300 Dr Martin Luther King Jr St N., St. Petersburg, FL, 33716, US
Telephone: (888) 299-4498

Download Free CMMC Guide

The Guide Answers Top Questions:

Understanding ISO 9001 Certification

What is ISO 9001?
Why should you care?
What does it require?
What will it cost?
How long does it take?

What is NIST / CMMC?

The launch of the Cybersecurity Maturity Model Certification (CMMC) program is an important, necessary step in our country’s ability to protect its people, military, industry, and more. Cybersecurity threats to the U.S.’s information grow daily and adversaries are becoming more and more capable.

The threat grows for businesses and contractors that work with the Department of Defense (DoD). In order for businesses to be awarded government opportunities, they will need to deploy several security solutions and have policies in place that drive action for their organizations.

After a major breach of contractors, subcontractors, and several government agencies, the CMMC program was created. The program is designed to level-up the security of information shared by the DoD and contractors/ subcontractors, and gives the Department enhanced confidence that CUI is being properly secured. Read below to learn more about CMMC 2.0, NIST, and DFARS.

The Structure of CMMC

CMMC measures cybersecurity at 3 levels: 1) Foundational, 2) Advanced, and 3) Expert. Businesses who exclusively handle Federal Contract Information (FCI) will require Level 1. Businesses who handle Controlled Unclassified Information (CUI) will require Level 2. Level 3 exists to protect highly sensitive CUI and will be required by few contractors.

LEVEL 1 | Foundational
Comply with the FAR

17 practices from NIST SP 800-171

Annual self-assessment affirmed by company leadership
LEVEL 2 | Advanced
Comply with the FAR

Encompasses all practices from NIST SP 800-171r1

Annual self-assessment or triennial third-party assessement
LEVEL 3 | Expert
- Comply with the FAR
- Encompasses all practices from NIST SP 800-171 and a subset from NIST SP 800-172
- Requires assessment by government every three years

FAQ

What is CMMC 2.0?

In November of 2021, the Department of Defense announced plans for an improved CMMC 2.0 program. The goal of 2.0 is to maintain the initial program while reducing compliance challenges as much as possible.

The CMMC 2.0 program has three key features:

Tiered Model:
AThe CMMC program lays out the process for requiring protection of controlled unclassified information (CUI) that is shared with the Defense Industrial Base (DIB) and requires those companies trusted with national security information meet the required cybersecurity standards at the appropriate level based on the type and sensitivity of the information.

Assessment Requirement:
CMMC assessments allow the DoD to verity that the defined cybersecurity requirements have been met.

Implementation through Contracts:
Once CMMC is fully implemented and a contract has a CMMC requirement specified, contractors will be required to meet the appropriate CMMC level as a condition of contract award.

DFARS: What does DFARS stand for?

DFARS stands for the Defense Acquisition Federal Regulation Supplement and was published in December of 2015 by the U.S. Department of Defense (DoD). DFARS is supplementary to the FAR or Federal Acquisition Regulations. DFARS is a set of specific regulations for cybersecurity meant for DoD external contractors and suppliers.

Because of the ever-increasing cybersecurity threats, cybersecurity has become a significant priority for the US government. The primary goal of DFARS is to protect “Controlled Unclassified Information” (CUI) and required private government contractors and other non-government entities to update security systems and processes.

NIST: What Is NIST 800-171?

NIST stands for the National Institute of Standards and Technology and NIST 800-171 establishes a set of standards and is a collection of regulations with the goal of protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. These sets of standards are applied to safeguarding and distributing information like personal information or intellectual property that is regarded as sensitive but not classified.

Compliance with the most recent revision of NIST 800-171 requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to implement security procedures when handling controlled unclassified Information.

NIST Compliance is demonstrated with the use of a self-assessment against the 110 requirements outlined in NIST 800-171. Every one of the NIST controls have a weighted value associated with it. It’s either one point, three points or five points. So you could have at best, a positive score of 110 or aat worst, a negative 203 as a score. Scores must be submitted before contracts or renewals are awarded. Scores are registered in the DoD’s Supplier Performance Risk System (SPRS)

What is the Supplier Performance Risk System?

“The Supplier Performance Risk System (SPRS) is a web-enabled enterprise application that gathers, processes, and displays data about supplier performance. It is the DoD’s single, authorized application to retrieve supplier performance information.”

From: https://www.acq.osd.mil/cmmc/docs/FINAL-Supplier-Performance-Risk-System_Rd4.pdf

Although it may seem complicated, using available resources and a NIST Consultant can make it possible to get and stay in compliance with DFARS which can be financially rewarding for an organization. Contact us today for more information.

NIST / CMMC

The Guide Answers Top Questions:

What is NIST / CMMC?

The Structure of CMMC

LEVEL 1 | Foundational

LEVEL 2 | Advanced

LEVEL 3 | Expert

FAQ

The CMMC 2.0 program has three key features:

To Speak to a FedBiz Access Procurement Specialist Call: (888) 299-4498

Download CMMC Guide

About

Legal

Other

Contact