Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

What is NIST SP 800-171 and CMMC?

What is NIST SP 800-171 and CMMC?

NIST SP 800-171 and CMMC (Cybersecurity Maturity Model Certification) are compliance frameworks that ensure organizations implement strong cybersecurity policies and measures. All organizations that process or store sensitive unclassified data (i.e., controlled unclassified information (CUI)) must demonstrate compliance to work with the U.S. Department of Defense.

RELATED: What exactly is CUI? (and how to manage it)

Overall, compliance frameworks help organizations employ needed proactive cyber safety measures. The use of such platforms/guidelines (including HIPAA) is an active defense against serious cyber challenges.

SEE ALSO: HIPAA compliant email T

hat most of these frameworks are mandatory for certain organizations only helps to keep threat actors and data breaches from causing grave disasters.


What is NIST SP 800-171?


NIST (The National Institute for Standards and Technology) is a nonregulatory agency of the U.S. Department of Commerce. It promotes American innovation and industrial competitiveness by developing technology, metrics, and standards. Moreover, its compliance standards and guidelines help federal agencies (and others) meet requirements for protecting data and information systems.

RELATED: NIST releases enterprise risk management privacy framework

First published in 2015 (and last updated February 2020), NIST SP 800-171 guides organizations that must protect CUIs. The idea is that all who work with the government begin their contracts completely cyber secure. And in turn, the government stays protected. The framework uses an outcome- and evidence-based approach to ensure organizations implement proper security measures. In total, there are 110 requirements broken into 14 "families," or groups:


Access control Awareness & training
Audit & accountability Configuration management
Identification & authentication Incident response
Maintenance Media protection
Personnel security Physical protection
Risk assessment Security assessment
System & communications protection System & information integrity


At this time, there is no certification for SP 800-171; organizations self-assess and self-attest.




CMMC is a cybersecurity training, certification, and third-party assessment program for the U.S. government. Formerly introduced in early 2020, CMMC is required for organizations that want to bid on and win contracts with the government.


This compliance framework is the government’s response to numerous compromises within contractors’ information systems. Additionally, CMMC was created to encourage compliance after the low rate of NIST SP 800-171 self-attestation. It consists of several other frameworks such as NIST SP 800-53, Aerospace Industries Association National Aerospace Standard 9933, and the Computer Emergency Response Team Resilience Management Model. CMMC is composed of five levels built for different types/sizes of organizations. Each level must incorporate the requirements or controls for those from lower numbers. The controls for levels 1–4 total 17, 72, 130, 156, and 171, respectively. A network of third-party assessors grants the required compliance certificate which is valid for three years.




In fact, all cybersecurity frameworks derive from the same desire to safeguard sensitive information. Both NIST and CMMC focus on CUIs while HIPAA concentrates on protected health information. The requirements mitigate cybersecurity vulnerabilities because such frameworks are based on risk management. Generally, risk management is the process of identifying, assessing, and blocking possible threats.

RELATED: Cybersecurity risk management: How companies are responding to COVID-19 and remote work

By using such business tools as risk assessments and threat modeling, compliance frameworks encourage organizations to find their best mix of cybersecurity practices. Moreover, complying with the guidelines of certain frameworks can help some organizations comply with other frameworks. Especially those that are not as comprehensive or are out of date. CMCC Level 3, for example, uses and entails the 110 requirements of NIST SP 800-171. And HIPAA is several decades old with gaps in its guidelines. Although HIPAA is mandatory under U.S. legislation, covered entities seem to be focusing more and more on other methods of compliance. Organizations that want to meet go above and beyond what HIPAA requires often consider obtaining HITRUST CSF certification.

RELATED: Paubox renews, expands HITRUST CSF certification through 2023


Commonality: proactive and protected


All the frameworks mentioned here have something in common: a proactive approach to combatting cyberattacks (such as phishing email attacks) and protecting confidential information.

RELATED: NIST weighs in with ransomware tips

At the same time, what practices an organization chooses depends on the organization and its assessment. But they will more than likely include up-to-date and active policies and procedures, security controls, training and education, separate and constant backups, as well as email security. Such steps to bolster security are especially pertinent given the recent increase in digital transactions, data sharing, and significant cyberattacks.

SEE ALSO: Why is healthcare a juicy target for cybercrime?

Checkbox thinking (i.e., security theater) is not enough to actively safeguard an organization and its sensitive information. Strong risk management (through compliance frameworks) is healthier and ensures accountability. Both NIST SP 800-171 and CMMC (as well as HIPAA) were created to encourage the cohesive cyber strategies needed to safeguard sensitive data.


Try Paubox Email Suite and make your email HIPAA compliant today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.