FAQS
What is NIST sp 800-171?
NIST SP 800-171 is a set of policies/requirements that any defense contractor must follow in order to store, process, or transmit Controlled Unclassified Information (CUI). NIST SP 800-171 compliance is currently required by Department of Defense contracts via DFARS clause 252.204-7012.
How do I determine my compliance?
If you have the DFARS clause 252.204-7012 in a current contract, you are expected to be NIST SP 800-171 compliant.
How do i become cmmc certified
“The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org). The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.” (https://www.acq.osd.mil/cmmc/faq.html)
How can NUDG 2.0 help me with cyber security compliance?
NUDG 2.0 is a program management software tool used to manage and maintain cyber security compliance. It provides one location to document processes and procedures with an easy-to-navigate dashboard showing the implementation status for each policy. The program is loaded with the most up-to-date cyber security requirements published by the federal government including templatized policies and procedures to meet those requirements, this potentially saves a company approximately 400-500 hours in having to write their own policies and procedures. The NIST Requirement and CMMC Practices are organized into “NUDG Identifiers ” to show the references, the discussion points, and your company ’ s implementation status. Each NUDG Identifier comes with editable standards your company needs to meet to be compliant to the NIST Requirement and/or CMMC Practice. From these standards you can create and document your company ’ s controls and processes for these NIST Requirements and CMMC Practices, as well as, identify and document weaknesses for compliance. The weakness template allows you to record any gaps in compliance (GAP Assessment implementation) and remediate to prove compliance (POAM implementation). Any defense contractor with a single facility or multiple facilities will benefit from the software because it creates a common operating picture that can be distributed to the whole company/multiple locations/supply chains to establish congruency.
What is the difference between NIST SP 800-171 and CMMC?
NIST is a set of 110 security requirements and can be amended by the Federal Government. Per DFARS clause 252.204-7012, a defense contractor must be compliant to all 110 security policies to win and continue to do work for the government. CMMC has 5 levels, each building on the previous level’ s policies, allowing defense contractors to choose their level of cyber compliance based on their company ’ s capabilities. CMMC Levels 1-3 are the 110 security requirements in NIST SP 800-171.
What CMMC level do I need to pursue in order to bid on contracts?
The CMMC level depends on your company ’ s capabilities. When RFIs and RFPs are released, we recommend reading through them and match your capabilities to what is required in the RFI and RFP. A great starting point is CMMC level 3 which is the 110 NIST SP 800-171 policies.
What is CMMc?
CMMC, which stands for “Cybersecurity Maturity Model Certification ” , includes multiple maturity levels ranging from “Basic Cybersecurity Hygiene ” to “Advanced/Progressive ”. The purpose is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and designate a level of cyber security as a requirement for contract award based on the content of said contract.
What is required today to be considered NIST SP 800-171 compliant?
GAP Assessment – where you are today in your cyber security compliance versus where you need to be.
POAM (Plan of Actions and Milestones) – take deficiencies from GAP Assessment and create a timeline to get said deficiencies to compliance.
SSP (System Security Plan) – the policies and procedures put in place for compliance to NIST SP 800-171.