What is the Difference Between CMMC and NIST?
If you are a DoD contractor, this summer you’ll be required to align with new CMMC regulations. With the new regulations coming with the Cybersecurity Maturity Model Certification, many DoD contractors are facing confusion and even frustration at the prospect of integrating a whole new cybersecurity model into their compliance efforts. A big question many in the industry have is how the new CMMC differs from other major regulations in the industry, especially those outlined in NIST publications.
At FTP Today, we have helped many businesses with their file sharing and cybersecurity compliance needs. Staying a step ahead of ever-evolving and maturing threats is a challenge that we’re constantly helping partners face. Now with the introduction of CMMC, we understand the importance of staying ahead of the threats using these cybersecurity compliance requirements.
This article will work to alleviate those feelings of frustration that come with understanding the difference between CMMC and NIST and explain why your business and our industry need both.
What is NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a set of security controls you’re likely already familiar with. This framework of best practices was established by the National Institute of Standards and Technology as a way of standardizing organizations’ approaches to keeping data safe.
These reliable, repeatable security measures are cost effective and straightforward in their implementation. Application of the NIST Cybersecurity Frameworks is a necessary measure, as organizations who adopt it reap the benefits of mitigated risk and increased data security.
NIST has issued numerous data security publications addressing different and evolving threats to cybersecurity, including NIST SP 800-171 and NIST SP 800-53.
What is the Cybersecurity Maturity Model Certification (CMMC)?
The Cybersecurity Maturity Model Certification, or CMMC, is a new approach to managing cybersecurity efforts and promoting safe data practices for government contractors. The Department of Defense took action following a number of high profile data security breaches. The result was the CMMC.
The CMMC assigns different levels of cybersecurity maturity to participating government contractors. These five levels span from “Basic Cybersecurity Hygiene” to “Advanced” depending on the security measures and processes a contractor or subcontractor has in place. This makes it simple for government agencies to choose contractors to work with based on the level of security the data they handle warrants.
How are NIST and CMMC Different?
On the surface, the NIST framework and CMMC actually have a lot in common. They share the same general objective: protect CUI (controlled unclassified information). In fact, CMMC draws from NIST publications for some of the criteria for its maturity levels. In fact, the CMMC combines several best practices and maps directly to security controls outlined in various publications including NIST SP 800-171, NIST SP 800-53, ISO 270001 and ISO 27032, among others.
However, CMMC goes further than the NIST framework to ensure data is protected. The approach the NIST framework and CMMC take to verifying an organization’s cybersecurity efforts is different, too. Either an organization has implemented the security controls outlined in the NIST framework or it has not.
With the CMMC, an organization may have some essential security measures in place, while working to implement others. In this care, that organization would be granted a lower maturity level.
There is more room for organizations to work toward different maturity levels with CMMC. And while they do, these contractors can still be awarded contracts from government agencies that require a partner with a lower maturity level. This means there is a broader look at an organization’s security processes and practices than simply checking security controls off a list.
Do DoD Contractors Need Both CMMC and NIST?
In light of consequential cybersecurity breaches, the DoD’s reevaluation of its current security requirements reveals that previous measures like NIST SP 800-171 alone weren’t quite standing up to emerging cybersecurity threats.
As technology begins to evolve, so do the methods by which hackers gain access to sensitive data. These breaches, especially those by nation-state actors, could have far-reaching consequences, even the loss of American lives.
While the CMMC does go further to ensure data is protected, achieving one of the higher maturity levels will require an organization to have many of the security controls outlined by NIST in place. So yes, it is necessary to both implement NIST controls and also earn a CMMC maturity level.
If I Am Compliant with CMMC, Am I Compliant with NIST?
Not necessarily. You can earn a CMMC maturity level designation, which means you have complied with the requirements for that level. That level may have some security controls that meet NIST standards, but unless you have reached one of the higher maturity levels, you may not have all NIST controls in place.
One particular difference is the inclusion of 63 Non-Federal Organization (NFO) controls in NIST 800-171. This is in addition to the 110 controls related to how CUI is protected. Because CMMC is specifically for contractors working with the DoD, there is no need to include requirements on how NFO is handled.
So, while it may be ideal for contractors to have these controls in place for business outside the government (or simply for added security) these aren’t a necessity for earning a CMMC.
Remember that CMMC and NIST compliance are not equivalent. While there are general areas that overlap, you need to be mindful of both CMMC and NIST publications when crafting your security policies.
What Does the Future Look Like for DoD Contractors?
Because the CMMC doesn’t take action or become a requirement for RFPs until June 2020, it’s hard to determine that full impact of this new compliance approach now. In fact, the DoD has yet to release some key details about CMMC, like the cost of earning maturity levels. However, it does signal the importance being placed on cybersecurity for the future.
It also means that DoD contractors should start taking proactive steps now to strengthen their security measures. Consider the maturity level you’ll need to earn to continue your DoD contracts or earn the types of contracts you want to hold in the future.
NIST and CMMC will work hand in hand to make for a safer and more structurally sound data security landscape. When FTP Today has worked with clients in the past, we have found that having a strong understanding of all compliance guidelines in the cybersecurity and data sectors will keep your data safe and efficient.
Want to learn more about cybersecurity requirements? Download this free ITAR, EAR and DFARS Compliance Requirements Guide now.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.