Site icon

CMMC 2.0, NIST, and Risk Management

Cyber threats continue to grow in complexity and sophistication. To address this evolution, the Department of Defense has introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0 to ensure that defense contractors maintain robust cybersecurity practices to protect Controlled Unclassified Information (CUI). 

To address one of the most important processes in modern security (risk management), CMMC 2.0 includes some risk assessment requirements. 

This article will explore risk management’s vital role in achieving CMMC 2.0 compliance and its connection to the National Institute of Standards and Technology (NIST) guidelines, specifically NIST SP 800-171. We will delve into the various control families of NIST 800-171 and 800-172, their impact on risk management, and the steps organizations can take to address potential risks effectively.

 

How Do CMMC Maturity Levels Impact the Adoption of NIST Controls?

Currently, CMMC version 2.0 is operating under a notional standard as stakeholders in the DoD supply chain assess and provide revisions to the framework. However, one change that seems stable per the mission of the new CMMC version (streamlining compliance) is the reduction of maturity levels from five to three. 

Currently, the three maturity levels of CMMC 2.0 are:

This article isn’t a deep dive into the nuances of the differences between these levels. Instead, it looks at how one specific family of controls (in this case, risk management) may impact compliance across them.

What Are NIST Special Publications 800-171 and 800-172?

First, a discussion of NIST and CMMC requirements. 

NIST 800-171 and NIST 800-172 are publications by the National Institute of Standards and Technology that provide guidelines and recommendations for protecting CUI in non-federal systems and organizations. 

 

Risk Management and CMMC

CMMC control requirements are defined by the maturity level of the organization and compliance expectations of the data associated with their task. Both NIST SP 800-171 and 800-172 contain a control family of “Risk Assessment” that may apply to an organization.

Both documents contain the “Risk Assessment” family, albeit with different controls. 

 

Risk Management Controls from NIST SP 800-171

The risk assessment control family in this document contains three primary requirements:

 

Risk Management Controls from NIST SP 800-172

NIST SP 800-172 also contains a Risk Assessment family that defines several enhanced requirements for organizations at the highest level of compliance:

 

Learn More About CMMC or Partner with Us for Your Assessment

CMMC is a rigorous standard requiring organizations to undergo third-party assessments. Lazarus Alliance is now a certified third-party assessment organization under CMMC 2.0, one of only a few dozen in the United States. 

What does that mean for you? You can trust our decades of experience to help guide you through your assessment process. 

Preparing for your CMMC audit? Looking for a C3PAO you can trust? Contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version