After more than a decade navigating the complex world of the Department of Defense’s Risk Management Framework (DoD RMF), I decided it was time for a new challenge, and I was also laid off. With cybersecurity regulations tightening across industries, shifting into the world of NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) felt like a natural next step. Bringing years of hands-on risk management framework experience to the table, I began to understand the specific nuances of contractor requirements and how they differ, and align, with the NIST Risk Management Framework.
While NIST RMF and NIST SP 800-171/CMMC serve different communities, they both share a common goal: implementing security requirements to protect federal government assets. The NIST RMF applies to federal information systems operated by or on behalf of the U.S. government, including those managed by contractors. In contrast, NIST SP 800-171 and CMMC apply to the Defense Industrial Base (DIB), focusing on contractor systems that store, process, or transmit Controlled Unclassified Information (CUI).
Both frameworks follow the same basic six-step process:
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
However, each has specific variations tailored to their respective contexts.
Both frameworks categorize systems based on the type of information processed and the potential adverse impact of unauthorized disclosure. However, the categorization processes differ. NIST RMF categorizes based on three variables: confidentiality, integrity, and availability, also known as the security triad, where organizations must assign a low, moderate, or high impact to each variable, giving 27 categorization options.
CMMC categorizes information systems into three maturity levels based on the sensitivity of the information processed. Level 1 applies to systems that handle Federal Contract Information (FCI) and requires basic safeguarding. Level 2 applies to systems that process, store, transmit, or protect CUI. Level 3 is intended for systems handling CUI associated with critical programs or high-value assets, requiring advanced protection in dynamic environments.
The DoD simplifies the categorization process for the Defense Industrial Base. NIST 800-171 and CMMC are focused solely on protecting the confidentiality of CUI, not the integrity or availability, and the DoD has assigned all CUI with an impact level of Moderate for confidentiality. This equates to a CMMC Level 2 or Level 3 Certification. If required by contract, some organizations may need to comply with CMMC Level 3, which is based on NIST SP 800-172. This level requires prior achievement of CMMC Level 2 certification, incorporates 24 additional enhanced security requirement extensions, and includes a government-led assessment conducted by DIBCAC.
Selection of the security controls for both frameworks is essentially the same, other than the number of controls/security requirements. Both control sets and security requirements are derived from the NIST SP 800-53. When NIST updated the 800-53 to Rev. 5, they intentionally removed the term “Federal Systems” from the document title to include non-federal audiences. DoD officially transitioned to Revision 5 in 2024, and when CMMC adopts NIST 800-171 Rev. 3, the DIB will also move its security requirements in direct alignment with NIST 800-53 Revision 5. NIST RMF requires an average of 350 controls (with 27 different categorization levels, there are 27 different control sets with varying numbers of required controls). CMMC Level 2 requires compliance with 110 controls (320 assessment objectives).
As with selection, both frameworks follow their prescribed baseline to implement required controls and document that implementation in their System Security Plan.
Once an organization has implemented the controls that apply to their information systems and components, they are ready to be assessed. Initially, when DFARS 7012, 7020, and NIST 171 were released, all that was required was self-attestation. However, with the introduction of CMMC (pending CMMC DFARS Rule and DFARS 7021), contractors will be required to have a third-party assessment of their control implementation just as federal systems have always been required to do. While most defense agencies have little choice over who they use as an assessor, the CMMC Accreditation Body has developed an entire ecosystem of trained professionals that are included in a marketplace for contractors to choose from.
During assessment, organizations provide policies, procedures, and other evidence of compliance with security controls. Assessors use the same interview, examine, and test assessment methods. Assessors for CMMC use Met, Not Met, and Not Applicable, whereas in RMF, the findings are documented as Compliant, Not Compliant, and Not Applicable.
During the implementation and assessment phases, organizations document all non-compliant controls on their Plan of Action & Milestones (POA&M). The way POA&Ms are handled between the two frameworks is very different. NIST RMF uses a more risk-based approach that allows an authorizing official to accept risk for controls that are non-compliant so long as it stays within the defined risk tolerance for the organization. CMMC allows contractors to put weaknesses on a POA&M, but there is no option for risk to be accepted and only select controls are eligible for a POA&M. Furthermore, all weaknesses on the POA&M must be remediated within 180 days from the assessment.
Following assessment comes the authorization. An Authorization to Operate (ATO) under NIST RMF comes from an Authorizing Official (AO) who accepts the residual risk for the system. In CMMC, the “authorization” requires a minimum score of 88 (which equals 80%). CMMC compliance is scored differently than RMF. CMMC practices that are met are awarded 1, 3, or 5 points, with a total of 110 with 100% compliance. Controls that are NOT MET are assigned negative point values according to the DoD Assessment Methodology (DoDAM). For security requirements that, if not implemented, could lead to significant exploitation of the network or exfiltration of DoD CUI, 5 points are subtracted from the score of 110. If the resulting score is less than 110 but above 88, the assessor can issue a CMMC L2 Interim Certification. If all controls are MET, the assessor then issues a CMMC L2 Certification.
Once a system is authorized, or certified, the organization needs to continuously monitor the security posture to ensure that the implemented controls remain in place and function as intended. Both RMF and CMMC require that organizations develop and implement a continuous monitoring plan and self-assess controls at the organization-defined frequency (minimum annually). Both RMF and CMMC also require third-party assessments at least once every three years. In RMF, the Authorizing Official can issue a Conditional Authority to Operate (CATO), which could require reauthorization sooner than three years depending on the residual risk of the system.
Both frameworks aim to safeguard federal information; however, they are designed to address different audiences, and their processes differ slightly. Nonetheless, the overall compliance programs exhibit a significant degree of overlap.
Although I am relatively new to contractor cybersecurity compliance, my extensive experience with NIST RMF has provided transferable skills that are highly relevant to my current work with CMMC. The process and terminology may vary (I am still working on adapting my terminology to use “practices” instead of “controls”), but the fundamental concepts remain consistent.
About the Author
Kathryn Daily is CMMC Compliance Manager here at Cuick Trac. With over a decade of experience implementing DoD RMF and holding certifications like CISSP and CGRC, she brings deep insight and hands-on expertise to cybersecurity compliance.
Need help navigating CMMC compliance? Cuick Trac simplifies the process with a turnkey enclave and expert guidance. Book a demo today to get started.
