How to Find Your NIST 800-171 & CMMC Requirements: A Comprehensive Guide to Determine Your Compliance Requirements from Your Primes and Clients.
One of the most frequently asked questions I receive is:
“How do I know if I need to be compliant with either the NIST 800-171 or CMMC frameworks?”
The bottom line is that if you possess controlled unclassified information (CUI) then your organization – with the exception of commercial off the shelf (COTS) companies – will likely have to fulfill these compliance requirements. Unfortunately, it’s not always clear to many organizations if they fall under this umbrella, so we’ve developed a quick guide to help clarify your compliance obligations to not only ensure you’re in good standing with your existing contracts but are also able to bid for future contracts which will very likely include these requirements in the very near future.
Speak to your Clients & Vendors:
Our first recommendation is to simply reach out to your clients to learn if they currently require or anticipate requiring either NIST 800-171 or CMMC compliance. Based on our experience, company contracting officers or program managers for a contract are great resources to learn about what they expect from their vendors and if they anticipate incorporating these compliance requirements as part of their contracts. You should also learn if the clients themselves have NIST 800-171 or CMMC requirements related to your contract with them. If the answer is yes, it is likely that your contract with the client should also have this language, as both NIST 800-171 and CMMC both require flow-down to be included in subcontracts.
Look In Your Contract:
If you’re unsure or not comfortable reaching out to your clients to ask them about their compliance expectations, you can oftentimes find these requirements within your contract. By referring to Section H.27 (Facility, Personnel, and Systems Security Documentation), you’ll find language indicating your potential compliance requirements and will want to keep an eye out for terms such as DFARS (7012), NIST, NIST 800-171, CMMC, and ITAR. In addition to this, you can also find additional compliance obligations by referring to your DD254 form which is an appendix within your contract.
Additional Insights & Considerations:
Last but not least there are three insights, recommendations and considerations you should keep in mind as part of your compliance strategy to help determine if your organization will likely be required to address these compliance requirements and position itself for long-term success.
1. Consider NIST 800-171 & CMMC as a competitive marketing advantage:
If you determine that the NIST 800-171 or CMMC are not an immediate requirement for your organization and are not included in any of your current contracts, then it may be a good idea to consider implementing them as a competitive marketing advantage. At TSI, we became CMMC Level-3 compliance ready to distinguish ourselves in the market and almost half of our NIST/CMMC DoD clients are doing so for the same reason. Although they’re not required to be compliant today, they choose to do so from a strategic marketing decision to improve their chances of success in an increasingly competitive market that if not today, will very soon require contractors to be compliant.
2. Be aware of the timeline to implement the NIST 800-171 & CMMC frameworks:
In the worst-case scenario that your organization has done very little to nothing at all to become compliant today, it very well could take anywhere from 12-18 months to implement the technical and programmatic controls and solutions to accomplish compliance.
For example, from a technical standpoint, of the 130 CMMC 3 controls, there are 25+ technical services or tools required to adequately address them and some of them require the expertise of an MSP or MSSP, to purchase and implement them. Microsoft GCC High is one such frequently overlooked solution that will be required for organizations with CMMC 3 + ITAR requirements and can only be purchased from 9 registered Microsoft GCC High Companies and implemented by a limited number of organizations nationally- TSI is one of them
Regarding the programmatic component of the CMMC, the policy development, supporting documentation, and process development for each of the 130+ CMMC controls was one of the primary areas of focus for our assessors and on average, we estimate it takes 120 hours to complete and generally requires a CISSP-level Security Engineer or CISO to complete an audit-ready Security and Compliance Program. Without experience in developing these programs, it will take significantly longer. In addition to this developing a Security and Compliance Program for CMMC Level-3 requires that the program is managed and sustained over time. A complete program includes requisite policies, practices, procedures, strategic implementation plans, process development and resources to manage and sustain the program and its associated controls. Developing a program with this level of rigor, detail and congruence requires CISO level knowledge and experience. As our own assessment ended, we received excellent comments on our program including how it has made our assessor’s job much easier!
3. Determine your IT provider’s RPO status and CMMC readiness :
If you’re currently working with an IT provider that isn’t an CMMC-AB RPO today[JB4] , it may benefit you to partner with one. A CMMC RPO is registered with the CMMC Accreditation Board and have undergone a background check to ensure they fulfill the basic requisites to provide NIST/CMMC services to the DIB. In addition to this and even more importantly, in order for them to continue providing your organization with services- especially if those services or solutions address your compliance requirements- they will also need to adhere to the same level of NIST 800-171 and CMMC level that is required of yourself if they have (verified or unverified) access to your CUI. To ensure your organization is adequately prepared for an audit, you should speak to your IT provider as soon as possible to clarify if they meet these standards and if they’ve undergone a 3rd party audit of their systems attesting their ability to be CMMC certified ready when that time comes. Overlooking this critical detail could significantly impact your organization’s NIST/CMMC implementation process from both a time and financial standpoint.
As a nation-wide partner to the DIB, we hope that our guidance here has helped clarify your compliance obligations so you can take the appropriate measures to improve your security posture and ensure that your organization is able to pursue and keep your DoD contracts.
Feel free to check out the NIST 800-171 & CMMC compliance page to learn how we can help support your organization’s compliance objectives.