CMMC 2.0 maturity levels are tied directly
to NIST 800-171-mandated controls
Since CMMC 2.0’s 110 controls are aligned completely with NIST 800-171 requirements, assessment is tied to those requirements. NIST 800-171 controls fall under 14 “families,” shown in the table below.
CONTROL FAMILIES | TOTAL CONTROLS |
---|---|
Access Control | 22 |
Audit and Accountability | 9 |
Awareness and Training | 3 |
Configuration Management | 9 |
Identification and Authentication | 11 |
Incident Response | 3 |
Maintenance | 6 |
CONTROL FAMILIES | TOTAL CONTROLS |
---|---|
Media Protection | 9 |
Personnel Security | 2 |
Physical Protection | 6 |
Risk Assessment | 3 |
Security Assessment | 4 |
System and Communications Protection | 16 |
System and Information Integrity | 7 |
Key security assessment outcomes
A properly executed assessment will provide a comprehensive analysis of how your systems score against NIST 800-171 security requirements.
Two required — and extremely useful — assessment outcomes are a System Security Plan (SSP) and Plan of Action and Milestones (POAM).
System Security Plan: A detailed, periodically updated plan that documents the full system environment, security system implementation and connections between all systems.
Plan of Action and Milestones: Detailed, formal plans, including timing, for documenting and addressing each gap in NIST 800-171 compliance.
SPRS Score and Submission:
When your assessment is complete, the results must be submitted through the DOD’s Supplier Performance Risk System, or SPRS, a web-based mechanism for housing and retrieving supplier performance information.
Trust an assessment and
compliance expert
The assessment process can be complex and time-consuming. CyberSheath is an expert. We have completed hundreds of NIST 800-171 assessments to date and counting.