What is NIST SP 800-171 and CMMC?

Featured image

Share this article

NIST and CMMC logos

NIST SP 800-171 and CMMC (Cybersecurity Maturity Model Certification) are compliance frameworks that ensure organizations implement strong cybersecurity policies and measures. All organizations that process or store sensitive unclassified data (i.e., controlled unclassified information (CUI)) must demonstrate compliance to work with the U.S. Department of Defense.

RELATED: What exactly is CUI? (and how to manage it)

Overall, compliance frameworks help organizations employ needed proactive cyber safety measures. The use of such platforms/guidelines (including HIPAA) is an active defense against serious cyber challenges.

SEE ALSO: HIPAA compliant email

That most of these frameworks are mandatory for certain organizations only helps to keep threat actors and data breaches from causing grave disasters.

What is NIST SP 800-171?

NIST (The National Institute for Standards and Technology) is a nonregulatory agency of the U.S. Department of Commerce. It promotes American innovation and industrial competitiveness by developing technology, metrics, and standards.

Moreover, its compliance standards and guidelines help federal agencies (and others) meet requirements for protecting data and information systems.

RELATED: NIST releases enterprise risk management privacy framework

First published in 2015 (and last updated February 2020), NIST SP 800-171 guides organizations that must protect CUIs. The idea is that all who work with the government begin their contracts completely cyber secure.

And in turn, the government stays protected.

The framework uses an outcome- and evidence-based approach to ensure organizations implement proper security measures. In total, there are 110 requirements broken into 14 “families,” or groups:

Access control Awareness & training
Audit & accountability Configuration management
Identification & authentication Incident response
Maintenance Media protection
Personnel security Physical protection
Risk assessment Security assessment
System & communications protection System & information integrity

At this time, there is no certification for SP 800-171; organizations self-assess and self-attest.

And CMMC?

CMMC is a cybersecurity training, certification, and third-party assessment program for the U.S. government. Formerly introduced in early 2020, CMMC is required for organizations that want to bid on and win contracts with the government.

RELATED: CMMC FAQ’s

This compliance framework is the government’s response to numerous compromises within contractors’ information systems. Additionally, CMMC was created to encourage compliance after the low rate of NIST SP 800-171 self-attestation.

It consists of several other frameworks such as NIST SP 800-53, Aerospace Industries Association National Aerospace Standard 9933, and the Computer Emergency Response Team Resilience Management Model.

CMMC is composed of five levels built for different types/sizes of organizations. Each level must incorporate the requirements or controls for those from lower numbers. The controls for levels 1–4 total 17, 72, 130, 156, and 171, respectively.

A network of third-party assessors grants the required compliance certificate which is valid for three years.

NIST, CMMC, and HIPAA

In fact, all cybersecurity frameworks derive from the same desire to safeguard sensitive information. Both NIST and CMMC focus on CUIs while HIPAA concentrates on protected health information.

The requirements mitigate cybersecurity vulnerabilities because such frameworks are based on risk management. Generally, risk management is the process of identifying, assessing, and blocking possible threats.

RELATED: Cybersecurity risk management: How companies are responding to COVID-19 and remote work

By using such business tools as risk assessments and threat modeling, compliance frameworks encourage organizations to find their best mix of cybersecurity practices.

Moreover, complying with the guidelines of certain frameworks can help some organizations comply with other frameworks. Especially those that are not as comprehensive or are out of date.

CMCC Level 3, for example, uses and entails the 110 requirements of NIST SP 800-171. And HIPAA is several decades old with gaps in its guidelines. Although HIPAA is mandatory under U.S. legislation, covered entities seem to be focusing more and more on other methods of compliance. Organizations that want to meet go above and beyond what HIPAA requires often consider obtaining HITRUST CSF certification.

RELATED: Paubox renews, expands HITRUST CSF certification through 2023

Commonality: proactive and protected

All the frameworks mentioned here have something in common: a proactive approach to combatting cyberattacks (such as phishing email attacks) and protecting confidential information.

RELATED: NIST weighs in with ransomware tips

At the same time, what practices an organization chooses depends on the organization and its assessment. But they will more than likely include up-to-date and active policies and procedures, security controls, training and education, separate and constant backups, as well as email security.

Such steps to bolster security are especially pertinent given the recent increase in digital transactions, data sharing, and significant cyberattacks.

SEE ALSO: Why is healthcare a juicy target for cybercrime?

Checkbox thinking (i.e., security theater) is not enough to actively safeguard an organization and its sensitive information. Strong risk management (through compliance frameworks) is healthier and ensures accountability.

Both NIST SP 800-171 and CMMC (as well as HIPAA) were created to encourage the cohesive cyber strategies needed to safeguard sensitive data.

Try Paubox Email Suite and make your email HIPAA compliant today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022