National Institute of Standards and Technology (NIST) Requirements – Building Blocks for FAR/DFARS
NIST is an agency of the U.S. Department of Commerce whose purpose is to promote innovation and competitiveness in U.S. industry. Originally established as the National Bureau of Standards in 1901, it was renamed to NIST in 1988, as its mission had grown more specifically toward promoting scientific and technical advancement. NIST publishes a series of Special Publications (SP) providing technical guidelines regarding cybersecurity. For organizations seeking CMMC certification, the most relevant publications are NIST SP 800-171 and -172.
- NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- Originally released in 2015 with a revision in 2020, this publication’s purpose is to protect federal Controlled Unclassified Information (CUI) when handled by nonfederal systems, particularly DoD contractors and subcontractors. It provides a comprehensive set of security requirements that DoD contractors and subcontractors must implement when working with the federal government.
- NIST SP 800-171 provides the requirements mandated by DFARS 252.204-7012 for defense contractors handling CUI and thus lays the groundwork for CMMC Level 2.
- NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- This publication was developed in 2021 as an enhancement to NIST SP 800-171. Its purpose is to protect highly sensitive federal CUI from advanced persistent threats.
- It is intended to be used in high-risk situations, as defined in by the DoD and specified in individual contracts. As such, it provides the additional requirements for CMMC Level 3.
Federal Acquisition Regulation (FAR) and CMMC Level 1
The FAR provides the framework for all federal contract work that involves processing, storing, or transmitting Federal Contract Information (FCI). It specifies the contractors’ general requirements and responsibilities. Though it doesn’t apply exclusively to the defense industry, all work done for the DoD is included in its purview. Regarding CMMC, it is essential to understand the following FAR clause, which applies to contractors who handle FCI and directly relates to CMMC Level 1.
- FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems.
- This clause provides fifteen basic security controls that all contractors and subcontractors must implement in order to do any work for the federal government. These are basic safeguards covering access control, physical protection, and monitoring. They are meant to reflect security measures that prudent businesses should implement even without federal requirements.
- All organizations doing business with the DoD must implement these controls. These controls represent the requirements needed to achieve CMMC Level 1. Contractors self-assess at this level and must document their results.
- This FAR flows down to subcontractors at every level.
Defense Federal Acquisition Regulation Supplement (DFARS) Clauses and CMMC Levels 2 and 3
DFARS provides requirements specific to the defense industry designed to protect the security of the DoD. There are several DFARS clauses mandating the rules that will ultimately require CMMC compliance. As these clauses apply to contractors who handle Covered Defense Information (CDI), including CUI for the DoD, they relate to CMMC Level 2 and higher.
- DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
- This clause requires contractors to implement the 110 cybersecurity requirements specified in NIST SP 800-171. These are also the requirements needed to achieve certification at CMMC Level 2 and above.
- DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements.
- This clause builds toward CMMC certification by requiring contractors to review their solicitation and determine if they are required to implement NIST SP 800-171 in order to be considered for contract award, and if so, they must have a current assessment for each relevant system and submit the results to the DoD’s Supplier Performance Risk System (SPRS).
- DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements.
- When this clause is included in a DoD contract, the contractor must make their systems available for DoD assessors to conduct a Medium or High NIST SP 800-171 assessment.
- DFARS 252.204-7021: Cybersecurity Maturity Model Certification (CMMC) Requirements.
- This clause specifically introduces CMMC and is expected to be required in DoD contracts before the end of 2025.
- It requires DoD contractors to maintain the appropriate CMMC certification level.
- Level 1 for contractors handling only FCI (15 requirements from FAR 52.204-21). Self-assessed.
- Level 2 for contractors handling CUI (110 requirements from NIST SP 800-171). May be self-assessed or third party-assessed, per specification of contract.
- Level 3 for contractors handling highly critical CUI, per specification of contract (110 requirements from NIST SP 800-171, plus 24 requirements from NIST SP 800-172). DIBCAC-assessed.
CyberNINES can help you navigate the FAR and DFARS landscape for CMMC Compliance. Contact us with any questions you might have about CMMC or the regulations it supports.
Resources
- A Defense Contractors Guide to CMMC DFARS and FAR Requirements: https://blog.cybernines.com/a-defense-contractors-guide-to-cmmc-dfars-and-far-requirements