There is a lot of talk about the upcoming revision to NIST SP 800-171 (rev 3) as well as CMMC (CMMC was published as a proposed rule on December 22, 2023). There is an essential question that organizations need to answer before delving into these conversations, however, and that question is whether they actually need to comply with the NIST 800-171 standard. Here is an easy-to-follow guide that will help your organization discover if the answer is “yes” or “no.”
Question 1: Are you a Department of Defense contractor, sub-contractor, or are you a supplier to a DoD contractor or sub-contractor?
Answers in the affirmative mean you have to continue to follow the guide.
If you answered “no” to all of the above, you probably do not need these certifications.
Question 2: If you are a contractor, sub-contractor, or supplier, does your contract include DFARS 252.204-7012, 7019, 7020, and/or 7021?
Once again, any positive answers mean you have to continue to use the guide here.
If your contract does not include DFARS, you may not need to be NIST certified. Double check with your contracting office to confirm.
Question 3: What exactly does your contract cover? Are you handling high-priority programs, prioritized acquisitions, or are you not sure what kind of Controlled Unclassified Information (CUI) you are handling?
Organizations that handle high-priority programs will probably need to be assessed by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center). These agencies will probably need to be certified to NIST SP 800-171 as well as NIST SP 800-172 standards.
If your organization handles prioritized acquisitions, you may need a level 2 advanced certification via a C3PAO (CMMC Third Party Assessor Organization). In this case, all controls in NIST SP 800-171 should be covered.
If you know you handle CUI but you are not sure what classification, you can contact your contracting officer to find out what requirements you need to meet.
If you have questions about any segment of this guide, contact us today. We can discuss your specific situation and help you begin your certification journey on the right path.