A Quick Guide to NIST 800-53, NIST 800-171, and CMMC, and FedRAMP

Before I got into cybersecurity, I had no idea what NIST (National Institute of Standards and Technology) was, what risk management frameworks were, who they applied to, or what distinguished one set of standards from another. That changed quickly. If you work in cybersecurity, NIST policies heavily dictate your daily activities. Therefore, if you are building a risk management program, hopefully, this blog will provide some guidance.  

Risk Management Frameworks (RMF)

A Risk Management Framework (RMF) is a roadmap and set of instructions used to continually minimize security risks. When it comes to an organization’s digital footprint and those that service IT systems, NIST’s 800 Special Publication series provides an unequivocal source of truth for cybersecurity best practices. This third-party guidance from NIST is used by government programs like FedRAMP and CMMC to certify their constituents.  

This blog seeks to provide a quick-hit FAQ and mapping of NIST SP’s to the government programs that rely on them so you can understand what RMF to follow for the certification you’re seeking.   

NIST 800-53  

What is it?  

Who is it intended for?  

  • Federal Government Agencies and their IT systems  
  • FedRAMP CSP’s (Cloud Service Providers) are required to provide a NIST 800-53 compliant service (plus cloud-specific overlay controls) to Federal agencies  

How is it enforced?  

  • FISMA - Federal Information Security Management Act of 2002 is legislation that relies on NIST special publications to enforce its mandate.  

What sets it apart?  

  • It is the most technical and prescriptive RMF (Risk Management Framework) of the bunch. If you have never thought about security before and face NIST 800-53 compliance requirements, buckle up. It is broken up into 18 control families that dictate everything from the way your systems must be configured to the processes and procedures that make up your organization’s risk management program.   

CMMC  

Why does it exist?  

  • The CMMC program evolved as a more robust response to ineffective cybersecurity measures set out in the Defense Federal Acquisition Regulation Supplement (DFARS). CMMC requires that government contractors protect their Controlled Unclassified Data (CUI) by implementing the NIST 800-171 controls and having them verified by a 3rd Party Assessment Organization (C-3PAO)  

Who is it intended for?  

  • Vendors – Defense department contractors  
  • Purchasers – Defense Department Agencies   

NIST 800-171  

What is it?  

  • NIST 800-171 is another SP (Special Publication) developed by NIST to standardize how federal agencies define Controlled Unclassified Data (CUI) and the IT security standards for those that have access to it.  

Who is it intended for?  

  • CMMC requires Government contractors, their third-party vendors, and service providers who store and share classified and unclassified Federal Government data to comply with NIST 800-171 guidance.   

How is it enforced?  

  • The Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 now requires that defense contractors show proof of compliance with NIST 800-171  

What sets it apart ?

  • Compared to other SPs, NIST 800-171 is more high-level and less prescriptive. Therefore, there is more latitude on behalf of the organization to defend their control environment.  

FedRAMP 

Why does FedRAMP exist?  

  • Each Federal Agency must grant an Authority To Operate (ATO) to utilize a CSP. The FedRAMP program provides authorized cloud services which Federal Agencies can browse and select from an online marketplace. If a CSP is on the FedRAMP marketplace, then an Agency shopping for a particular technology can be assured that the CSP has complied with the NIST 800-53 RMF with additional overlay controls   

Who is it intended for?  

  • Vendors - Any Cloud Service Provider (CSP) who sells SaaS, PaaS, or IaaS products to the United States Federal Government.  
  • Purchasers – United States Federal Government  

Compliance with a NIST RMF at your organization is voluntary unless you are a Federal Government agency or working with the Federal Government. That said, I would highly recommend striving for NIST compliance because it is the foundation that all major regulatory bodies adhere to. If you can prove you are compliant with all the major NIST publications, you will not have any problems satisfying an audit later down the road.  

If you need an experienced cybersecurity consultant to assess your cybersecurity posture and advise you on your security program, MindPoint Group is here to help you. We are a cybersecurity consulting company with 11 years of experience helping Federal Government Agencies deploy secured software solutions on-premise and in the cloud. Contact us to learn more.  

Continue reading

cybersecurity newsletter
The MPG newsletter

Get great curated articles into your inbox.

Our semi-regular newletter is a great source of information.
No spam!