What is the best thing to be working on if you are a contractor who handles or stores CUI? Working on complying with the controls of NIST SP 800-171r2. CMMC certifies that a third party has assessed your organization and found that you passed those controls. 

NIST 800-171 Compliance

Compliance with NIST 800-171 r2 involves earning a SPRS score of 110, which means all 110 controls have been met. There is also a self-assessment whereby companies as of now are expected to accurately report their compliance score to the SPRS database in the two years between CMMC certification assessments. 

How Many Controls Are There?

As you prepare for your compliance journey, it is important to know there are 110 controls in the standard as well as 320 assessment objectives. These are divided into fourteen families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

You might be thinking some of these are similar to ISO 27001, and you would be correct about that. There are several parallels between the standards in terms of approach and structure. However, ISO 27001 focuses on information management while NIST 800-171 is focused on the protection of Controlled Unclassified Information (CUI).

The CMMC Assessment

Assessing where your company is in terms of compliance is an important step to take before scheduling with a C3PAO. Do not be shy about contacting two C3PAOs (CMMC Third Party Assessment Organizations), one to help you prepare and another to do the actual assessment.

NIST makes available a spreadsheet outlining assessment procedures, and what it reveals is that no two companies are likely going to have the same compliance experience. For example, your assessment may reveal that your company needs to significantly increase employee training in CUI protection and proper handling. Another company, however, may need to address physical security and access concerns that could require an overhaul of how employees work. Some organizations may find that achieving CMMC certification will require large investments while others may already have a solid infrastructure in place that will not necessitate those expenses.
 

ISO 9001 and ISO 27001 Can Help You Toward CMMC Certification 

Although each of these standards covers different niches, an organization can get a good start on the CMMC journey if they are ISO certified.

The ISO 9001 is an overarching quality management system standard. Among other benefits, this certification will help ensure the company’s management is fully engaged, which is necessary for NIST 800-171 compliance.

ISO 27001 builds in ISO 9001 with the information security management systems structure (ISMS). As was mentioned previously, information security should not be confused with CUI, but earning an ISO 27001 certification will cover a lot of controls under the NIST 800-171 umbrella.

If you have any questions about your organization's current ability to comply with NIST 800-171, contact us today. We are happy to help.