This post will cover the differences between the Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171. If you missed part 1 on the differences between DFARS 252.204-7012 and FAR 52.204-21 then you can read about it here.
How do CMMC and NIST SP 800-171 overlap?
CMMC and the NIST framework overlap significantly, but they are not exactly the same. CMMC is a maturity model at its core while NIST SP 800-171 is designed only for implementing controls. CMMC actually incorporates NIST SP 800-171 as a basis for much of its lower-level controls and processes. At higher levels though, CMMC expands upon areas where the NIST framework lacks, namely practices and maturity. There are also only 14 domains for the NIST framework and 17 domains for CMMC. It may be easiest to see this separation appear if we go through by CMMC level.
For CMMC Level 1, there are only 17 controls, all of which come from NIST SP 800-171. It is also worth noting that all of the CMMC Level 1 controls cover the entirety of FAR 52.204-21. However, this level 1 achievement only covers a small set of the NIST framework and no maturity practices. Level 2 of CMMC is really just a stepping stone on your way to level three and doesn't grant you many benefits in the federal eye so we will spare the details on that level for now. At level 3 CMMC requires all 110 controls of NIST SP 800-171 along with 20 new CMMC specific practices and processes for a total of 130 elements. At this point, CMMC expands much further beyond scope of NIST SP 800-171 since we have already consumed all 110 controls of it. By the time we get to level 5 of CMMC, there are 171 elements: 110 from NIST SP 800-171, 15 from NIST SP 800-171B, and 46 from CMMC itself.
What are the differences?
So what are these differences exactly since we know CMMC basically relies upon NIST for its majority. These differences mainly come from Access Control (AC), Audit and Accountability (AU), Incident Response (IR), Risk Management (RM), System and Communication Protection (SC), and System and Information Integrity (SI). As an example, we will compare a CMMC Level 1 AC to a CMMC Level 4 AC. AC.4.025 states to "periodically review and update CUI program access permissions". It demonstrates a level of maturity in that it describes the practice of managing other controls and maintaining a strong security posture. On the other hand, AC.1.001 states "limit information system access to authorized users, processes acting on behalf of authorized users, or devices...". This control merely mentions that there should be some form of limitations on access. The level 4 control is a way to monitor and improve the level 1 control as we should expect with maturity frameworks.
Scoring differences
The way the DoD scores the NIST SP 800-171 compliance has three levels while CMMC has five. However, the CMMC assessment and scoring guidelines really just follow the implementation of the framework, and to get any certification in CMMC, an audit will need to take place. The only thing that will change is the depth of the audit and the controls checked (assessment methodology has not actually been released yet for CMMC levels above 3 as of writing this). However, for NIST 800-171, the DoD has defined a scoring framework that gives an entity a value (it can be seen here).
Unlike CMMC, the controls for each NIST SP 800-171 levels do not change the number of controls. The NIST framework assumes that you are implementing all 110 controls. So what in fact are the levels that the DoD is providing? They provide assured-ness levels. That is to say how confident the DoD is in the fact that you have actually implemented all 110 controls. For the lowest level, there is self-attestation and for the highest level, an onsite audit will need to take place.
Summary
So if you are complying with both NIST SP 800-171 and CMMC there will be significant overlap, but complying with one does not guarantee the other. CMMC level 1 grants nothing in the way of a high NIST score. and a self-attested perfect NIST score will not grant any CMMC certifications. While certainly preparing for one will help in leaps and bounds to prepare for the other, they are not the same.
If you need any help mapping out your pathway to compliance, let us at Trawvid Sec know. We will help you achieve the compliance you deserve and the security posture of legends.
Trawvidsec.net
Ещё видео!