The US is raising the cybersecurity standards for contractors across the government, especially those contracting for the Department of Defense.
At the same time, many software companies without roots in government contracting and not steeped in the many associated acronyms have to contend with these standards.
This post is meant to serve as a first primer on common acronyms you’ll see, what they mean, and how they relate. We won’t touch on the vast complexity of each but will instead provide a point of first interaction with these concepts.
Acronyms and Standards
This is a list of cybersecurity controls. Think of things like controlling access to devices or auditing remote desktop sessions. It’s a long list.
NIST 171-800 tells us what protections and procedures we need to implement and is designed to set the minimum security threshold for companies and systems that store Controlled Unclassified Information (CUI). If you’re doing business with the Department of Defense, you probably need to care about it.
The good news is that NIST 181-800 provides a single list of controls that must be implemented. The condensed list starts on page 74 of the publication here: https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final.
The Cybersecurity Maturity Model Certification (CMMC) requires implementing the NIST 181-800 standard. No additional protections are needed! CMMC is just NIST 171-800 paired with one of three types of audits:
1. Level 1: Self Attestation
2. Level 2: An audit provided by a C3PAO (A third-party vendor certified by the government to complete these audits)
3. Level 3: An audit led by the government
Above, we briefly explained two common cybersecurity acronyms you should expect to run into quickly if you want to work with the Department of Defense. To be sure, there are many more, including DFARS, ITAR, and the like. NIST 171-800 is at the center. It’s a long list, but implementing some of the basic requirements of NIST 171-800 is the right place to start.