NIST 800-171, or the Cybersecurity Maturity Model Certification (CMMC), is a framework developed by the US Department of Defense (DoD) to assess the cybersecurity posture of organizations that handle Controlled Unclassified Information (CUI). CUI is sensitive information that isn't classified but still needs protection.
CMMC aims to improve information security across the defense industrial base (DIB) by establishing five maturity levels. Each level represents a gradual increase in cybersecurity practices an organization must implement. These practices are based on the well-regarded NIST SP 800-171 security controls.
Organizations are evaluated by independent assessors to determine their CMMC level. A higher level indicates a stronger cybersecurity posture and translates to a more competitive edge in DoD contracts. CMMC certification is not a one-time thing. Organizations must continuously improve their cybersecurity practices to maintain their certification level.
✦3.1 ACCESS CONTROL By W. Noble 📅 2024-02-28 NIST 800-171 control 3.1, emphasizes access control as a crucial cybersecurity measure. It mandates restricting access to authorized users, processes, and devices. This includes limiting user permissions to only the functions they need and controllin...
✦3.2 AWARENESS AND TRAINING By W. Noble 📅 2024-02-29 NIST 800-171 control 3.2, helps organizations improve employee cybersecurity awareness and reduce security risks by training them on relevant policies and procedures. While NIST doesn't assign specific accountability, it recommends training for all p...
✦3.3 AUDIT AND ACCOUNTABILITY By W. Noble 📅 2024-03-20 NIST 800-171 control 3.3, focuses on audit and accountability, aiming to track user actions and system activity. It mandates creating and keeping system logs for monitoring, investigating, and reporting potential security breaches. Additionally, it e...
✦3.4 CONFIGURATION MANAGEMENT By W. Noble 📅 2024-03-01 NIST 800-171 control 3.4, focuses on establishing a systematic approach to understanding, controlling, and tracking changes made to IT systems. This includes creating a baseline configuration (a known good state) for hardware, software, firmware, and...
✦3.5 IDENTIFICATION AND AUTHENTICATION By W. Noble 📅 2024-03-01 NIST 800-171 control 3.5, focuses on securing access to systems by requiring identification and authentication of users, processes, and devices. This means uniquely identifying everyone and everything interacting with the system, and then verifying t...
✦3.6 INCIDENT RESPONSE By W. Noble 📅 2024-03-01 NIST 800-171 control 3.6, requires organizations to have a plan for handling security incidents. This includes preparing for, detecting, analyzing, containing, recovering from, and guiding user responses to incidents. Additionally, organizations must...
✦3.7 MAINTENANCE By W. Noble 📅 2024-03-02 NIST 800-171 control 3.7, focuses on secure system maintenance practices. It mandates controls for all maintenance activities, including those performed off-site. This ensures equipment is sanitized of sensitive information before removal and that di...
✦3.8 MEDIA PROTECTION By W. Noble 📅 2024-03-02 NIST 800-171 control 3.8, outlines safeguards for information classified as Controlled Unclassified Information (CUI). These controls focus on securing both physical and digital media containing CUI, encompassing aspects like secure storage, access c...
✦3.9 PERSONNEL SECURITY By W. Noble 📅 2024-03-02 NIST 800-171 control 3.9, focuses on personnel security for protecting Controlled Unclassified Information (CUI). It mandates screening individuals before granting access to CUI systems and ensuring CUI and systems are protected during and after pers...
✦3.10 PHYSICAL PROTECTION By W. Noble 📅 2024-03-02 NIST 800-171 control 3.10, emphasizes physical safeguards for organizational systems and information. This includes restricting physical access to equipment and facilities to authorized individuals, securing the physical building and infrastructure,...
✦3.11 RISK ASSESSMENT By W. Noble 📅 2024-03-02 NIST 800-171 control 3.11, mandates regular risk assessments to safeguard Controlled Unclassified Information (CUI). This involves periodically evaluating the potential harm to your organization, assets, and individuals from operating systems and han...
✦3.12 SECURITY ASSESSMENT By W. Noble 📅 2024-03-02 NIST 800-171 control 3.12, focuses on security assessment. It mandates organizations to regularly evaluate the effectiveness of implemented security controls in their systems. This involves periodically assessing if the controls are functioning as in...
✦3.13 SYSTEM AND COMMUNICATIONS PROTECTION By W. Noble 📅 2024-03-03 NIST 800-171 control 3.13, safeguards information systems and communication channels by requiring organizations to monitor, control and protect them. This improves data confidentiality, integrity, and availability. It assigns responsibility for imple...
✦3.14 SYSTEM AND INFORMATION INTEGRITY By W. Noble 📅 2024-03-03 NIST 800-171 control 3.14, safeguards data from unauthorized modification and ensures its accuracy. It assigns responsibility for protecting data integrity and outlines methods for tracking changes. Implementation involves access controls, logging, a...
N
✦NIST Special Publication NIST SP 800-171r3 By W. Noble 📅 2024-03-20 NIST 800-171r3, formally titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a recently issued publication by the National Institute of Standards and Technology (NIST). This document provides recommende...
