A Quick Guide to NIST SP 800-53, NIST SP 800-171, CMMC, and FedRAMP

Before I started working cybersecurity, more than a decade ago, I had no idea what NIST (National Institute of Standards and Technology) was, what risk management frameworks were, who they applied to, or what distinguished one set of standards from another. That changed quickly. Today, individuals working in cybersecurity know that NIST policies heavily dictate your daily activities. If you are new to cybersecurity or are looking to build a risk management program, this article will provide some guidance to some of the basics of federal cybersecurity frameworks and the programs to be on the lookout for.  

Risk Management Frameworks (RMF)

A Risk Management Framework (RMF) is a roadmap and set of instructions used to continually minimize security risks. When it comes to an organization’s digital footprint and those that service IT systems, NIST’s 800 Special Publication (SP) series provides an unequivocal source of truth for cybersecurity best practices. This third-party guidance from NIST is used by government programs like FedRAMP and CMMC to certify their constituents.

Here is a quick-hit reference guide and mapping of NIST SP’s to the government programs that rely on them so you can understand what RMF to follow for the certification you’re seeking for your organization.  

NIST SP 800-53  

What is NIST?  

• The National Institute for Standards and Technology is a non-regulatory agency within the Department of Commerce which helps to develop and publish IT security standards such as 800-53.

Who is NIST SP 800-53 intended for?  

• Originally, federal government agencies and their IT systems.
• Companies who may be required to meet many of the controls to work as a contractor (Rev 5 removed the word "federal" to indicate that the controls should be applied for all organizations).
• FedRAMP CSP’s (Cloud Service Providers) are required to provide a NIST SP 800-53 compliant service (plus cloud-specific overlay controls) to federal agencies.

How is NIST SP 800-53 enforced?  

• NIST 800-53 is enforced primarily through compliance requirements for federal agencies and contractors. Organizations must implement its security controls as part of their risk management framework.
• FISMA - Federal Information Security Management Act of 2002 is legislation that relies on NIST special publications to enforce its mandate.
• Federal government agencies and CSPs are required to assess their compliance with the NIST 800-53 controls and obtain authorization to operate (ATO) from designated officials. This involves a rigorous evaluation of whether the implemented controls are effective.
• Federal government agencies and CSPs may also integrate NIST 800-53 controls into their broader organizational policies, including incident response plans, security policies, and risk management strategies.

What sets NISTSP 800-53 apart?  

• NIST SP 800-53 is the most technical and prescriptive RMF (Risk Management Framework) of the bunch. If you have never thought about security before and face NIST SP 800-53 compliance requirements, buckle up. It is broken up into 18 control families that dictate everything from the way your systems must be configured to the processes and procedures that make up your organization’s risk management program.  

CMMC  

Why does CMMC exist?  

• The CMMC (Cybersecurity Maturity Model Certification) program evolved as part of DOD efforts to enforce effective measures set out in the Defense Federal Acquisition Regulation Supplement (DFARS). CMMC requires that government contractors protect their Controlled Unclassified Data (CUI) by implementing the NIST SP 800-171 controls and having them verified by a 3rd Party Assessment Organization (3PAO).
• CMMC exists to enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB) and to ensure that sensitive government information is protected. It aims to standardize cybersecurity practices acro b bb ss contractors, improve the security of defense supply chains, and mitigate the risks of cyber threats.
• CMMC aims to safeguard CUI that is shared with contractors and subcontractors in the defense supply chain, helping to mitigate the risk of data breaches and cyber threats. Prior to CMMC, there was no uniform standard for cybersecurity across the DoD supply chain, leading to inconsistencies in how organizations approached cybersecurity. CMMC provides a standardized framework that organizations must adhere to, ensuring a baseline level of security.
• CMMC establishes a trust framework between the DoD and its contractors, ensuring that organizations are held accountable for their cybersecurity practices. This fosters a culture of security within the defense industrial base. By implementing CMMC, the DoD aims to deter cyber threats and reduce the likelihood of successful cyber-attacks against defense contractors and their systems. Overall, CMMC exists to create a more secure environment for handling sensitive defense information and to ensure that all entities within the supply chain are equipped to handle and protect that information effectively.

Who is CMMC intended for?  

The Cybersecurity Maturity Model Certification (CMMC) is specifically intended for organizations that are part of the Department of Defense (DoD) supply chain and within the Defense Industrial Base (DIB).

These organizations handle Controlled Unclassified Information (CUI) related to U.S. Department of Defense (DoD) contracts. This includes prime contractors and subcontractors at all levels who provide products or services to the DoD. Here are some categories of organization types:

1. ‍Prime Contractors: Companies that have direct contracts with the DoD to provide products or services. They are required to comply with CMMC to protect sensitive information.‍
2. Subcontractors: Organizations that provide goods or services to prime contractors. They must also meet CMMC requirements, as they may handle Controlled Unclassified Information (CUI) related to DoD contracts.‍
3. Defense Industrial Base (DIB) Companies: This encompasses a wide range of companies that support defense efforts, including manufacturers, software developers, logistics providers, and other service providers.‍
4. Organizations Handling CUI: Any organization that processes, stores, or transmits Controlled Unclassified Information as part of their work with the DoD must comply with CMMC requirements to ensure the protection of that information.‍
5. Foreign Entities: In some cases, foreign companies that work with the DoD or its contractors may also need to comply with CMMC if they handle sensitive information related to defense contracts.

• Vendors – Defense Department Contractors and Subcontractors
• Purchasers – Defense Department Agencies  

NIST SP 800-171  

What is NIST SP 800-171?  

• NIST SP 800-171 is another SP (Special Publication) developed by NIST to standardize how federal agencies define Controlled Unclassified Data (CUI) and the IT security standards for those that have access to it.  

Who is NIST SP 800-171 intended for?  

• CMMC requires Government contractors, their third-party vendors, and service providers who store and share classified and unclassified Federal Government data to comply with NIST SP 800-171 guidance.   

How is NIST SP 800-171 enforced?  

• In order to do business with the federal government, the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 now requires that defense contractors show proof of compliance with NIST SP 800-171  

What sets NIST SP 800-171 apart?

• Compared to other SPs, NIST SP 800-171 is more high-level and less prescriptive. Therefore, there is more latitude on behalf of the organization to defend their control environment.  

FedRAMP 

Why does FedRAMP exist?

• Each Federal Agency must grant an Authority To Operate (ATO) to utilize a CSP. The FedRAMP program provides authorized cloud services which Federal Agencies can browse and select from an online marketplace. If a CSP is on the FedRAMP marketplace, then an Agency shopping for a particular technology can be assured that the CSP has complied with the NIST SP 800-53 RMF with additional overlay controls.

Who is FedRAMP intended for?  

• Vendors - Any Cloud Service Provider (CSP) who sells SaaS, PaaS, or IaaS products to the United States Federal Government.  
• Purchasers – United States Federal Government  

Compliance with a NIST RMF at your organization is voluntary unless you are a Federal Government agency or working with the Federal Government. That said, I would highly recommend striving for NIST compliance because it is the foundation that all major regulatory bodies adhere to. If you can prove you are compliant with all the major NIST publications, you will not have any problems satisfying an audit later down the road.  

If you need an experienced cybersecurity consultant to assess your cybersecurity posture and advise you on your security program, MindPoint Group is here to help you. We are a cybersecurity consulting company with 11 years of experience helping Federal Government Agencies deploy secured software solutions on-premise and in the cloud. Contact us to learn more.