NIST SP 800-171 Compliance & CMMC
Your Partner in Achieving Compliance
NIST SP 800-171 Compliance & Cybersecurity Maturation Model Certification (CMMC)
NIST 800-171 & CMMC IT Services
Need help aligning your organization’s cybersecurity infrastructure with NIST SP 800-171 regulations in compliance with CMMC?
Maryland Computer Service is a CMMC registered assessor. We serve as your partner to support all your compliance needs. As a managed services provider (MSP), we guide you through all aspects of managing your technology, including compliance with NIST SP 800-171.
Our NIST 800-171 & CMMC IT Services
Performance Risk Assessment
Perform a full 110-point risk assessment in compliance with regulatory requirements.
CUI Policy Auditing
Analyze policies and procedures for handling CUI and advise on needed adjustments.
Plan of Action with a Milestone (POAM)
Build a NIST 800-171 compliant POAM with timelines to improve the SPRS Score.
System Security Plan (SSP) Development and Implementation
Prepare SSP with the full scope of IT networks, access points, users, IT service integrations, and cloud storage detailing CUI protections in place.
Supplier Performance Risk System (SPRS) Score Assessment
Perform SPRS Score Assessment and submit it to the Department of Defense, and develop opportunities to improve this score. This is a requirement to be eligible for government contract awards.
Maryland Computer Service does not certify networks. However, MCS is a registered assessor and assists clients with achieving certification when required.
NIST 800-171 and CMMC Compliance
What is NIST SP 800-171?
In the simplest terms, NIST 800-171 is a U.S. Federal Government requirement that outlines security standards and best practices for controlled unclassified information (CUI) by government contractors and subcontractors.
Is NIST 800-171 compliance required?
NIST SP 800-171 compliance is mandatory for all government contractors and subcontractors, which means the list of who must comply with these standards is continually growing.
As a result, working with a registered Cybersecurity Maturation Model Certified (CMMC) assessor like Maryland Computer Service is essential for any organization that works directly or indirectly with federal government entities. As experts in information technology, our IT professionals are well-equipped to ensure our clients’ systems are managed effectively to maintain compliance, which is necessary for any organization that does business with the federal government.
NIST 800-171 Requirements
NIST 800-171 consists of 110 requirements. Each requirement outlines different areas of an organization’s information technology, practices, and policies. Applying these regulations ensures that a business’ systems, networks, and employees are well-equipped to handle CUI.
NIST 800-171 compliance requires that all businesses must comply with these regulations in order to be awarded or maintain contracts with the federal government.
To be in compliance, an organization must complete a detailed analysis of systems environments and a comprehensive systems security plan. NIST 800-171 also requires that after this is completed, your business must regularly review the SSP and make continued efforts to improve their SPRS Scores.
NIST 800-171 Checklist / CMMC Compliance Checklist
▢ Understand your organization’s NIST 800-171 compliance requirements.
▢ Perform a self-assessment of your application of the requirements.
▢ Assemble supporting documentation for all system networks and architecture; system boundaries; data flow; people, processes, and procedures; and any anticipated changes.
▢ Analyze gaps.
▢ Review and document existing cybersecurity controls, as well as gaps you have uncovered.
▢ Develop a remediation action plan.
▢ Implement your action plan.
▢ Monitor, maintain, and test security controls.
▢ Document changes resulting from monitoring and maintenance activities.
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. CMMC is a Department of Defense program with three control levels that determine if a contractor or subcontractor has the appropriate security compliance to work with CUI. This comprehensive framework was designed to protect susceptible organizations from increasingly frequent and complex cyberattacks.
Who Needs CMMC Certification?
The CMMC Certification applies to any organization in the U.S. DoD supply chain. This includes contractors who engage exclusively with the Department of Defense as well as subcontractors who work with primes to perform those contracts.
Maryland Computer Services is a CMMC registered assessor, which means we’ve done the heavy lifting for you when it comes to establishing or maintaining your business’ NIST-compliant system security plan (SSP).
Whether you’re a small to medium-sized business that needs help understanding how government cybersecurity regulations apply to you, or you need an enterprise-level SSP, our IT professionals will walk you through the process and help you understand which CMMC level you need to achieve or maintain.
What is Controlled Unclassified Information?
Examples of CUI include:
- Proprietary Business Information (PBI)
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU) Information
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES) Information
- Other: Business documents and drawings related to government buildings & contracts.
What is an SSP (System Security Plan)?
Government regulations require that any business that contracts with the Department of Defense (DoD) maintain a system security plan (SSP). These regulations also apply to any business that subcontracts to an organization with a DoD contract.
An SSP is a document that “describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.” In layman’s terms, this means that anyone reading your SSP should be able to understand all hardware and software components, how they work together, and how you safeguard CUI within this network.
As a CMMC IT service provider, Maryland Computer Service helps clients establish and maintain their SSP in compliance with NIST 800-171 requirements.
Contact Maryland Computer Service Today!
If you’re looking to outsource your IT and computer services management to an external provider and/or you’d like a team to come help your company out onsite, we’d love to see what we could do for you.
Contact us online or give us a call right now at 301-202-6521 for a quick, free, no-obligation consultation.