Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.
What is new in NIST 800-172?
The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DOD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DOD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.
How will NIST SP 800-172 Affect My Contracts?
One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DOD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.
CMMC’s Incorporation of NIST 800-172
The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.
The DOD is working now to publish a new DFARS clause and contract language to allow DOD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DOD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.
How to Prepare for Cybersecurity Maturity Model Certification
Compliance with ever-evolving DOD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?
Access our latest webinar, NIST 800-171 Case Study: Surviving a DOD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DOD.