CMMC V1: What it means for NIST 800-171 & the defense industrial base

Posted by

Stuart Itkin, Vice President

The Department of Defense (DoD) released Version 1 (V1) of the Cybersecurity Maturity Model Certification (CMMC) on January 31, 2020. The DoD created CMMC in response to the continued exfiltration of controlled unclassified information (CUI) from its supply chain. These breaches threaten national security, empower adversaries, and cost the U.S. economy more than $600 billion per year.

CMMC serves as a unified standard for cybersecurity that will be incorporated as a “go/no-go” requirement for DoD acquisitions. It draws on sources including National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), the United Kingdom Cyber Essentials, Australia’s Cyber Security Centre Essential Eight Maturity Model, the Aerospace Industries Association’s National Aerospace Standard 9933, and others.

CMMC V1 identifies five levels of increasing cybersecurity maturity, comprised of 171 practices (technical capabilities) and five processes (measures of practice consistency and repeatability) that span 17 domains.

CMMC’s cumulative methodology means that in order to achieve Level 3, for example, an organization must address all of the practices and processes found in Levels 1, 2, and 3. CMMC V1 positions and defines the five levels as follows:




All 300,000 companies that comprise the Defense Industrial Base must acquire at least Level 1 certification in order to participate on any DoD contract that incorporates CMMC into its procurement requirements. In order to receive a certification at any level, DIB companies must pass an audit conducted by an accredited CMMC third-party assessment organization (C3PAO).

CMMC Timing

The release of V1 marks the first major milestone in CMMC’s carefully-staged rollout. At the DoD’s press briefing announcing the release of CMMC V1, Katie Arrington, the DoD’s chief information security officer for acquisition, indicated that in 2020, the DoD plans to include CMMC in ten requests for information and ten requests for proposal for programs of varying magnitude at varying CMMC levels. In all, approximately 1,500 DIB companies will require certification prior to award of these contracts.

The DoD will not retroactively inject CMMC into existing contracts – it will only be part of new contracts and extensions/ re-competes. As a result, the transition to CMMC will take until government fiscal year 2026 to complete, affecting additional members of the DIB each year between now and then.

CMMC vs. NIST SP 800-171

For the duration of the transition to CMMC, DFARS clause 252.204-7012 remains in effect. That clause currently stipulates that any company that accesses or stores CUI must self-assess its cybersecurity capabilities and self-attest that it meets all 110 security controls of NIST SP 800-171 or have a Plan of Actions and Milestones (POA&M) to do so. In addition, DoD prime contractors assume responsibility for gathering this information from their subcontractors and suppliers that handle CUI on their programs, and primes must only work with partners that comply with NIST SP 800-171 and/or have a POA&M in place.

For the next five-plus years, the CMMC and NIST SP 800-171 mandates will coexist as the number of contracts subject to CMMC ramps up and those subject to NIST SP 800-171 come to their conclusion, as illustrated in this projected timeline:




As a consequence, all members of the DIB must ensure that they understand NIST SP 800-171, account for its security controls, and report progress accurately, because:

  • The DoD intends to conduct more frequent and thorough audits of contractor/supplier NIST SP 800-171 self- attestations to mitigate risk and reduce exfiltration and its impacts during the migration to CMMC.
  • Failure to accurately report NIST SP 800-171 compliance status may jeopardize contract participation and/or lead to prosecution under the False Claims Act.
  • CMMC includes all 110 NIST SP 800-171 security controls (17 at Level 1, another 48 at Level 2, and an additional 45 at Level 3), as well as controls from the forthcoming release of NIST SP 800-171B at Levels 4 and 5.

Putting it all together

The profile and priority of NIST SP 800-171 has never been higher. DoD prime contractors and their suppliers, regardless of their interactions with CUI, who proactively address NIST SP

800-171 will minimize their challenge of simultaneously dealing with CMMC and NIST SP 800-171, ease their migration to CMMC, position themselves to achieve higher-level CMMC certifications, and give themselves a competitive advantage.

All parties that serve the DoD have a lot at stake with the tightening cybersecurity standards. In the current climate, businesses may find value in solutions that can streamline compliance while helping to preserve operational efficiency and mitigate risk.