NIST 800-171 & CMMC Compliance - Where Do I Start?

Meticulous documentation is the unsung hero in ensuring your organization's compliance with NIST 800-171 and readiness for a CMMC assessment. ComplianceForge is here to help make NIST 800-171 compliance as easy and as affordable as possible. We specialize in compliance-related documentation solutions (e.g., policies, standards, procedures, SSP/POA&M templates, SCRM Plans, etc.). ComplianceForge offers quite a few options for CMMC / NIST 800-171 compliance efforts. It really depends on the focus of your compliance efforts, since the right solution depends on if you just need to comply with CMMC / NIST 800-171 or if you have other compliance obligations that you need to address:

• NIST 800-171 Compliance Program (NCP) - This is as close to the “easy button” that we can make from a documentation perspective. The NCP focuses only on CMMC Level 2 / NIST 800-171. This is where the NCP is the most cost-effective and efficient solution. It contains all the policies, standards, procedures, SSP/POA&M and other templates that you legitimately need to demonstrate compliance with NIST 800-171 and pass a CMMC assessment. The NCP includes one year of updates, so when NIST 800-171 R3 is finalized, you will receive updated versions of the documentation.
• NIST 800-171 / CMMC Bundle #2 - If you need to “speak NIST 800-53” for other contracts (e.g., FedRAMP, RMF, FISMA, etc.) then Bundle #2 is a great option. This version is directly aligned with the moderate baseline from NIST 800-53B and leverages NIST 800-53 terminology/taxonomy (e.g., coverage for all 20 NIST 800-53 control families). Unless you have other obligations that require the entire moderage baseline from NIST 800-53, this may be considered overkill for companies that just need to comply with CMMC / NIST 800-171.
• NIST 800-171 / CMMC Bundle #3 - Bundle #3 is similar to Bundle #2, but has coverage for the high baseline from NIST 800-53B. This is meant for those select organizations that need to adhere to the high baseline from NIST 800-53, which includes coverage for NIST 800-172. 
• NIST 800-171 / CMMC Bundle #4 - If you need “the whole enchilada” with robust compliance for far more than just CMMC / NIST 800-171, then CMMC bundle #4 is the best option for an enterprise-class environment, especially one that is going to leverage a GRC platform to help manage documentation. This leverages the Secure Controls Framework (SCF) that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-171, NIST 800-172, NIST 800-53, NIST CSF, ISO 27001/2, CMMC, and many others. The Digital Security Program (DSP) includes one year of updates, so when NIST 800-171 R3 is finalized, you will receive updated versions of the documentation.

Planning For NIST 800-171 R3

There are significant changes between NIST 800-171 R2 and NIST 800-171 R3. ComplianceForge has documentation that is already updated for NIST 800-171 R3 to make your journey to complying with NIST 800-171 R3 as easy as possible.

Understanding Scoping For NIST 800-171 & CMMC

Arguably, determining what is and is not in scope for NIST 800-171 and CMMC is one of the most difficult steps in your compliance journey. 

The Unified Scoping Guide (USG) is a free resource that is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This model categorizes system components according to several factors:

• Whether sensitive data is being stored, processed or transmitted;
• The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and
• The connectivity between the system and the sensitive data environment.

This is an evolution of the CUI Scoping Guide that ComplianceForge previously published. This new version is updated to reflect the DoD's CMMC 2.0 Level 2 Scoping Guidance that includes Controlled Unclassified Information (CUI) scoping considerations, but expands on the model to address a broader category of sensitive and regulated data. This document can be used to help companies define what is in scope to comply with NIST SP 800-171 and appropriately prepare for a CMMC assessment, since a significant step towards becoming NIST SP 800-171 compliant and being able to pass a CMMC assessment is understanding the scope of the CUI environment.

The Unified Scoping Guide (USG) is intended to help organizations define the scope of the sensitive data where it is stored, transmitted and/or processed. This guide will refer to both sensitive and regulated data as “sensitive data” to simplify the concept this document is focused on. This approach is applicable to the following sensitive data types:

Controlled Unclassified Information (CUI) Personally Identifiable Information (PII) Cardholder Data (CHD) Attorney-Client Privilege Information (ACPI) Export-Controlled Data (ITAR / EAR)

Federal Contract Information (FCI) Protected Health Information (PHI) Intellectual Property (IP) Student Educational Records (FERPA) Critical Infrastructure Information (CII)

 

• Efficient CMMC Scoping

  Determining the scope of controls (e.g., assessment boundary) is different than determining control...

• Are you a cyber criminal?

  As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been...

• New Standard For Third-Party Cybersecurity Assessments

  The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the...

• Cybersecurity Materiality & Key Controls

  There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussio...

---