The Role of NIST 800-171 in Your CMMC Assessment

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Stacey.
And I'm Brooke.
From Justice IT Consulting,where we help businesses like
yours navigate CMMC and NIST800-171 compliance.
We're hard guns gettingcompanies fast track to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do

(00:20):
so.
Let's dive into today's episodeand keep your business on track.
Today's topic is a big one thatconfuses a lot of contractors.
What's the actual role of NIST800-171 in your CMMC assessment.
We'll break it down how it allfits together, where companies
usually slip up, and whatassessors really want to see.
And make sure to tune in for theend of the episode where we
cover this week's listenerquestion.

(00:42):
All right, Brooke, let's startat the beginning.
What exactly is NIST 800-171?
Well,

SPEAKER_01 (00:46):
NIST 800-171 is the foundation of CMMC and the
controls that you have to meetfor CMMC.
It's 110 controls across 14families.
They're really a good set ofcybersecurity controls to
follow, not just for CMMC, butanything else.

(01:06):
CMMC just kind of builds on topof that in a few areas with
DFARS rules and whatnot.
But NIST 800-171 is thefoundation for all the controls.

SPEAKER_00 (01:16):
With that being said, how does NIST 800-171 map
into the CMMC levels?

SPEAKER_01 (01:21):
Well, there's three levels, at least now there's
three levels.
So there's level one, level two,level three.
Level one is 15 or 17 controls,whichever direction you look at
it from.
But 15 controls for the NIST800-171 really comes from the
FAR 52.204-21.
And that's really to protectFCI, Federal Contract

(01:47):
Information.
So, for instance, if you have anenclave that we've talked about
quite a few times before, if youhave a CUI enclave, which is
going to be Level 2, you don'tnecessarily have to keep all
your FCI there, it can stayoutside of your level two
network as long as the rest ofthe network is protected at
level one.
So level two, it's all of your110 controls across 14 families.

(02:14):
It's also 320 assessmentobjectives in those controls.
And that's what's the basis forprobably the largest part of
CMMC and what the whole wholeblue is about.
Most everybody from what theysay most everybody is going to
have to meet level 2 and have alevel 2 certification assessment

(02:37):
there's going to be some peoplewho don't necessarily have to
have a certification assessmentfor level 2 but can still do
self attestation that has yet tobe seen who all is going to do
what but at this point if you'relevel 2 I would assume at some
point you've got to geteverything in place so I would
assume at some point you'll haveto be level 2 certified if it

(02:59):
comes out and you realize thatyou don't have to be level 2
certified, great.
You just saved some money.
You don't have to pay for thecertification.
But you still have to be, youstill have to do all the same
things.
All those controls have to beimplemented.
All the assessment objectiveshave to be met.
But that's level 2.
Level 3, it's going to includeeverything level 2 does, plus 24

(03:22):
or so additional controls.
There's going to be a smallsubset of contractors that have
to be level three.
Most everybody we run into, seenit on contracts or been notified
they need to be level two.
I don't know who's going to belevel three, but there will be a
few.

SPEAKER_00 (03:38):
So Brooke, when it comes to an assessment, how do
auditors actually checkcompliance with NIST 800-171?
So when

SPEAKER_01 (03:45):
an assessor comes to visit you, you're of course
going to work with them ahead oftime to make sure that you're
ready, or at least as much asyou can beforehand to make sure
that you're ready.
Once you and the see-through PAThe assessor determined that
everybody thinks you're ready togo through it.
You go through it.

(04:05):
And when they go to check thecontrols, they examine, they
interview, and they test.
Examine will be reviewingdocumentation, policies, network
diagrams, proof that you have,all that kind of fun stuff.
Interview is asking Sally Jo,you know, hey, show me how you

(04:27):
log in to whatever system it is.
you know, that they're lookingat.
Show me how you log in.
And so she'll go and log in andshe'll enter her username,
she'll enter her password, andthen she'll get prompted for
MFA, hopefully.
And she'll log in and she'll useher MFA to get logged in.
And let's say, oh, okay, good.
That worked.
They'll interview, they'll askquestions.

(04:48):
How do you do this?
How do you do that?
But they'll also test.
And part of that testing isasking, say, hey, Sally Jo, can
you log in and show me?
And so it's examine, interview,and test and so when Sally Jo
logs in it shows that she usedusername password and MFA to get
logged in then that's the testfor that for that control or

(05:11):
that assessment objectivehowever whatever you're looking
at at that point but that's howthey do that you need to make
sure you use an MFA to log inanywhere you access CUI whether
it's to initially log into yourcomputer to log into the VDI
solution maybe that you're usingor whatever it might be to
access access that CUI thatyou're using MFA, multi-factor

(05:34):
authentication, in case anybodydoesn't know.
On logging, you're going to wantto make sure that you're logging
all of your sources that are keyto the CUI enclave or the CUI
boundaries, within the CUIboundaries, your servers, your
firewall, maybe Microsoft 365GCC high, whatever it may be,

(05:57):
that you're gathering all thoselogs reviewing them and all that
kind of fun stuff you'll have toprove that instant response is
another one how are you doinginstant response and are you
testing it test doesn't have tobe a full-blown bring the
company down to test it it canbe a tabletop exercise you know
walk through it make sure thatthe systems are in place that

(06:18):
when you get to something forinstance I got to go submit a
fake report so you go to thewebsite on the computer where
you're supposed to submit thatreport from if you can't get to
that site well now your tabletopexercise just exposed a hole
right because you can't get tothe site to report that incident
so if you can't then you need tolook into why why is that medium

(06:39):
assurances certificate notworking or is it you're using
the right computer and all thatkind of fun stuff so make sure
that's tested but your systemsecurity plan your SSP should
tell your story about youroverall story about how you're
protecting how you're fulfillingthose controls and protecting
CUI so An assessor ought to beable to read that and get a good

(07:02):
idea, and then they should beable to delve into your policies
and get the detail about howyou're fulfilling that control.
Plans and procedures are howyou're actually doing something,
right?
You can put all your detail, Iguess, in the SSP, but typically

(07:23):
your SSP is kind of high level,describes how you do everything,
and your policies will contain alot more detail.

SPEAKER_00 (07:30):
What are the most common mistakes you see
contractors make with NIST800-171?

SPEAKER_01 (07:34):
Inadequate scoping.
So if you've not scoped yourenvironment properly, if you
scoped it too wide or you scopedit maybe, we wouldn't call it
too narrow, or you leavesomething out that you didn't
realize was being used for CUI,that's one reason we tell you
when you're scoping, you drawthat initial data flow diagram

(07:56):
and you include people thatactually do the work So when you
as an IT person and the generalmanager get together, you all
draw out this wonderful dataflow diagram, and you think,
yeah, that covers everything.
Well, when you actually involvepeople that actually do the
work, they say, well, yeah, butwe also do this and this with
it.
And it goes into this system andthat system.

(08:18):
And you're wholly surprised thatyou didn't get everything in.
But you can't know everything.
You've got to understand exactlywhat people are doing with
things.
Maybe it's a businessman.
process that needs to change ormaybe your data flow diagram
needs to meet that process rightor needs to reflect that process
but inadequate scoping andscoping is built upon that data

(08:41):
flow diagram so there's a numberone thing that you know you
might call a mistake or just anomission a sin of omission I
guess so that's number one thingthe other thing we see a lot of
is missing or weak documentationso your policies I just
described how your SSP and yourpolicies, and then your plans
and procedures and what theyshould look like at a high

(09:04):
level.
I know I didn't go into detailon each one, but the SSP, again,
it's a high level.
This is how we're implementingthese controls, policies, get
into the details, thou shaltnots, and how you're actually
fulfilling that, the systemsthat are involved, and all that
kind of fun stuff.

(09:26):
So a lot of times There are alot of other compliance regimes,
SOCs, I'll reference that one,that you may not necessarily
have to have really strictdetail about.
Well, this one, you do have tohave that detail.

(09:48):
Those assessors, when they cometo assess you, they want to be
able to understand and they wantto be able to read what you
have.
And I tell people all the timethat they've got to be able to
read your SSP and understand asan outsider uh what's what it
means and what it's saying andthen they have to be able to
read your policies andunderstand really what you're

(10:08):
doing if it's just some overallyou know we protect cui we don't
let it you know it's supposed tobe in all the correct systems
and uh you know that kind ofstuff and they're like well what
does this mean you know uh sothey're all your assessors are
going to be technical people uhbut they may may have been out
of it for a a year, two years,10 years, 20 years, doing

(10:32):
assessment type things.
But they are technical people.
They understand the technicaldetails.
They're an outsider.
They're not necessarily in IT orin your business because, again,
not all of this is about IT.
In fact, most of us not.
But it needs to be written wherean outsider can understand it

(10:53):
and glean details out of that.
MFA is another one those thingsthat, uh, people, uh, people
kind of miss, uh, MFA, uh, itwas clarified.
MFA does need to be implementedanywhere, uh, that you access
MFA across a network orremotely, uh, or any kind of,

(11:17):
uh, privileged functions, admintype functions.
So, uh, basically you have tohave, you have to implement MFA
everywhere.
So, uh, MFA is one of those thatpeople, uh, miss consistently.
Risk assessments is another one.
You've got to assess your risk.
You need to assess it, say,annually.

(11:39):
It's not just a checkbox thatyou can go over once and you're
done.
You've got to assess your riskall the time.
You also have to assess yoursecurity controls to make sure
that your security controls arestill applicable.
We do each of those annually forus or clients.

(11:59):
We do each of those annually.
Change management is a big one.
Change management is easy to notfollow.
You know, when you get in thebusiness of doing business every
day, if there's a problem, youjust need to fix that problem.
So change management is a bigthing.
You know, if you have somechanges coming up, they need to
be documented.
They need to be approved.
You need to at least look backon it, if nothing else.

(12:21):
You do need to follow yourchange management policy and
procedures.

SPEAKER_00 (12:25):
So there's been a lot of news lately surrounding
NIST 800-170 Are there anyupdates people should know
about?

SPEAKER_01 (12:33):
Yeah, so there is NIST 800-171 Revision 3 out
there.
The last, the CMMC 32 CFR rulethat came out that defined CMMC
locked it down to NIST 800-171Revision 2.
So we're hard-coded Revision 2until they change that.

(12:56):
And they'll have to specificallychange it Everybody kind of
expects them to change torevision three.
And everybody, really, mostpeople I talk to expect the
change to be to keep pace withthe current revision of NIST
800-171.
Right now, that's revisionthree.

(13:16):
I haven't kept up.
I don't know if revision four isout there or not or if they're
considering anything.
But the idea is to keep pace atsome point.
But right now, while they'retrying to get while they're
trying to get CMMC implemented,they've hard-coded it to
revision 2.
So probably we'll look for thatto change in a couple years,

(13:40):
maybe, something like that.
They want to get this under thebelt and going.
And the thought is that revision3 may come into play.
They may change the rule and sayit comes into play when your
certification comes up forrenewal.
You wouldn't necessarily have todo that in the middle and change

(14:01):
it.
Oh, you know, I just gotcertified six months ago.
Now there's revision three andthey said we have to be, you
know, certified on that.
So they expect not to change itin the middle and most likely
just to be on your nextcertification assessment.
Whenever that comes out, it'snot come out yet.
We're, like I said, we're still,we're hard-coded on revision two

(14:24):
for NIST 800-171 right now.
For the foreseeable future, wewill be.
The The big news right now isthat as of this podcast
recording, the 48 CFR has passedreview and been handed back to
the DOD.

(14:45):
It's come out of OIRA, and sothey've blessed it and said, you
know, you're good, and so itcould be plummished tomorrow.
Well, no, today is a Friday,so...
It won't be published tomorrow.
Not that you know that becauseyou're watching this on a
different day.
But it could be released very,very shortly.

(15:09):
But who knows?
Clock is ticking.
It's coming out.
I would expect it, if nothingelse, to be right around the 1st
of October if they haven'talready released it by then.
But that 48 CFR is what putsCMMC in place on contracts.
And that's a big one.

(15:30):
When it comes out, you have adefinite timeline when you have
to start getting your Level 2certification.
There's no more waiting andplaying the game to see if
you're going to have to do it ornot.
The clock is ticking then, adefinite clock.
It's been ticking.
It's just nobody knew towardswhat date.

(15:52):
So now you'll have a definitedate once that gets released.
And there's four phases to it.
first phase is pretty muchexactly like what you're doing
right now except you have a youknow definitive date um the
second phase uh they're all ayear each so the second phase uh
a year from whenever it comesout uh is going to be when those

(16:15):
level two certifications areimplemented on contracts and
that's on new contracts that'snot existing contracts so really
technically i guess uh you knowif you don't uh if you don't
want to win any new contractsfor a while i We'll just say
October 2026, then you canprobably wait a little while,
but new contracts will start tohave that on there.

(16:38):
Absolutely.
The other thing is, and I wish Icould remember who it was, but
there's an entity that hasfallen victim to the False
Claims Act.
They said they were implementingthese controls, and it turns out
they weren't.
And not just that they had triedto tried and didn't do it right,

(17:00):
but they just weren't.
So that's a false claims act.
I believe there was some sort ofbreach, but they self-reported
that they didn't have thesethings covered, and they were
given a little bit of leniency,but they still got like a$1.7
million fine.
So if that's leniency, I guessthe leniency would be that the

(17:23):
fine wasn't bigger and theydidn't get sued or anything.
But the False Claims Act is abig deal, and they are using
that, and the DOJ is going afterpeople on that.
So just be aware of that.

SPEAKER_00 (17:43):
So, Brooke, for the small defense contractors just
trying to get ready, what arethe practical steps to bridge
that gap with NIST 800-171?

SPEAKER_01 (17:52):
If you're a small contractor and trying to get
ready, it depends on whereyou're at, but I would say...
Stop where you're at.
Look back.
Have you drawn that data flowdiagram we keep talking about?
First of all, just do an overalldata flow diagram that includes
CUI and non-CUI so you canfigure it all out.

(18:15):
But the data flow diagram thatan assessor is going to want to
see has to do with CUI.
So have you done that CUI dataflow diagram as a basis for
trying to determine where yoursystem boundaries are, what is
in scope for CUI, and what's inscope for FCI, really.

(18:38):
But your CUI boundary is reallywhat you need to be aware of and
need to scope properly.
So start there.
If you're already 50% down theroad, I guess, maybe, however
you gaze that, stop and makesure that you've done that and
that you've included all thesystems that need being include

(18:58):
that you've really put thoughtinto that because you may
realize that, oh, we didn'tinclude some of these systems
that we're using.
Do we need to change ourbusiness process or do we need
to amend our scope?
You know, what do we need to do?
So that's a big thing.
I'll talk about it again.

(19:19):
Your SSP, build a good, strongSSP that tells your story about
how you're protecting CUI, tellsyour story about how you're are
fulfilling those controls andthose assessment objectives.
If you go to the assessmentobjective level, the auditor,
excuse me, not the auditors,they will bristle if you call
them an auditor, but the, uh,the assessors, uh, will, uh,

(19:42):
really, really do like to see,uh, this brought down to the
assessment objective level.
Um, cause some of the, some ofthe controls are a little broad
and, um, but when you read theassessment objectives, it makes
them a little more clear.
Um, so, uh, A good, strong SSPis a good thing to make sure you

(20:02):
build.
It's your first document thatgives a good overview.
Prioritize those high-riskcontrols and low-hanging fruit
also that you can get coveredpretty easily.
MFA is one of those.
Gathering and protecting youraudit logs.

(20:23):
We always recommend a SIM.
The controls are written reallyyou don't have to have a sim a
sim is a security informationand event monitoring system so
you don't really have to have asim but the way the controls are
written you really need a sim tocover all that because what a

(20:51):
sim does for you is it helps yougo through all those logs tens
of thousands of log entries oror hundreds of thousands,
depending on how many systemsthere are, how big the systems
are, how many people there are.
Anyway, but there's a lot of logentries.
And for a person to actually sitdown and review those log

(21:13):
entries, really it's impossibleto do properly.
You can say you're doing it, andan assessor might be okay with
that, but they're going to wantto see proof.
They're going to examine,interview, and test.
to determine if you're actuallydoing that.
And there has to be proof thatyou're doing it.
You can't just say, oh, yeah,yeah, sure, we're doing that.

(21:35):
So a sim really helps bridgethat gap to where you don't have
to dedicate a person to readinglogs.
So a sim helps bridge that gap.
Usually it's a pretty easy thingto put in place, so that's a
really important one.

(21:59):
The other thing is once you'vegone past that, just make sure
all your documentation is inorder.
Make sure that your SSP and yourpolicies and any plans and
procedures are all signed offon, authorized, and make sure
that you're gathering yourproof.
Make sure that all the stuff yousay you're doing, you're

(22:21):
actually doing.
So those are the things that asmall contractor can look at
from going back and reviewingthe beginning to going through
catching some low hanging fruitand stuff like that.

SPEAKER_00 (22:34):
All right, Brooke, we are going to tackle this
week's listener questions.
Bobby left us some lovelyquestions that we can address
here.
So the first question is, howare VoIP systems handled in CMMC
2.0?

SPEAKER_01 (22:49):
That is a good question.
So from what I understand fromassessors is the if you have a
VoIP system on premise, itdoesn't necessarily come in
scope because it's in yourboundary.
If you discuss CUI over a phone,then anything outside that is

(23:10):
carrier grade, however theconnections may be to the
carrier.
So that's okay.
Hosted VoIP systems, that'swhere the sticky part comes in.
From what a lot of assessorshave said is that they're going
to look to see that those arethe those are secured and that

(23:31):
they...
If it's a cloud-hosted system,it's got to follow all the same
controls, right?
So that's a really tough one.
If you have a traditional phonesystem that is similar, I guess,
in scope to an on-premise VoIPsystem, but if you have an

(23:54):
on-premise phone system, samething.
You don't have to...
It's not...
It doesn't have to meet the samerequirements because it's
on-premise and within scope.
But the hosted VoIP is a stickyissue.
A lot of times you can, ifyou've got Zoom, Federal Zoom,

(24:19):
whatever they call that, I thinkit's Zoom Federal.
Anyway, Zoom Federal, or ifyou've got Microsoft 365 GCC
High and you use Teams, that canbe used.
So some of those systems can beused because, of course, they're
federal.
So you can cover it that way.
And that's a good way to coverthat.

SPEAKER_00 (24:40):
Bobby's second question is, if Bobby moves to
Teams, would that be an issue?

SPEAKER_01 (24:46):
Well, a good old answer of it depends.
And I think there's anotherquestion here that this will
touch on as well.
Teams will be an issue if youdiscuss CUI over Teams.
Teams, or if you have, I mean,Teams, you can store files in
there and all sorts of funstuff, right?

(25:09):
So if you're using commercial365, yes, Teams is an issue.
If you're using GCC, there's alimited fit for Microsoft 365
GCC.
If you're using GCC High, thenyou'll like as long as

(25:32):
everything's configured properlyand all that kind of fun stuff,
then yes, that should be fine.

SPEAKER_00 (25:36):
Next question from Bobby.
What about a company likeDialpad.com?

SPEAKER_01 (25:42):
So Dialpad.com if I understand properly uses some AI
and helps you with meetings andselling and stuff like that.
I would definitely try to scopethat out of your CUI environment
and try to really scope it outof your FCI environment, you can
still use it to talk topotential clients and stuff like

(26:04):
that, I guess, but you've got tobe careful what goes in there,
right?
So that's one of those thingsthat's just unfortunate, but
because of all the new coolstuff coming out that can help,
it can also be a problem.
So that's one of those thingsthat you've got to watch.
I would personally just scope itout and make sure that everybody

(26:27):
knows that you can't discuss anyCUI over that.

SPEAKER_00 (26:31):
Bobby also wanted to know, how will M365, so
Microsoft 365, be evaluated inthe audit?

SPEAKER_01 (26:39):
Well, it depends on whether it's scoped in or scoped
out.
It depends on how you're usingit.
But assuming it is in scope,then they're going to evaluate
however you're using it.
So if you tell them that, yes,we send and receive CUI through
email, and yes, we store CUI onthe platform, then it's going to

(27:03):
be evaluated for all thecontrols that matter.
The thing that I'll tell you isthat if it's in scope for CUI,
Microsoft 365 Commercial willnot work.
Microsoft 365 GCC, which isGovernment Community Cloud, can

(27:24):
work in some narrow instances.
If you want to be safe,Microsoft 365 GCC High will
work.
So again, everything has to beconfigured properly, but that's
how they'll, if it's in scope,they're going to evaluate it
against all the 110 control.
Again, commercial won't work,GCC in a narrow scope, and GCC

(27:46):
High will work, will definitelywork for you.

SPEAKER_00 (27:50):
On that same note, Bobby was curious if they need
to use Business Premium or willthey have to move to Microsoft
365?
365 E5

SPEAKER_01 (28:00):
well you can't use business premium or E5 or E
anything because those are onthe commercial platform so and
this is assuming that it's inscope for CUI so if it's in
scope for CUI you have to moveto a GCC or GCC high version and
those are going to those plansare going to start well not all

(28:21):
the plans but anyway there'll beMicrosoft 365 GCC G E3 or G5 or
something like that.
And everything will have eitherG3, G5 or federal government or
something like that in thetitle.
But it has to be on thatplatform.
Premium is not on the GCC or GCChigh platform.

(28:46):
And neither are the E5 and E3.
E5 and E3, I believe, roughlyequate to the same G series
that's on those platforms.

SPEAKER_00 (28:57):
Thank you, Brooke.
for answering those listenerquestions.
If you have any questions aboutwhat we covered, reach out to
us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.

(29:18):
Stay tuned for our next episode.
Until then, stay compliant, staysecure, and make sure to
subscribe.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}The Role of NIST 800-171 in Your CMMC Assessment

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Stuff You Should Know

Dateline NBC

All Episodes

The Role of NIST 800-171 in Your CMMC Assessment

On Purpose with Jay Shetty