CMMC Standard

The Department of Defense is drafting a new standard called the Cybersecurity Maturity Model Certification (CMMC). This standard will replace NIST 800-171 on DoD Request for Information (RFIs) and Request for Proposal (RFPs) beginning in mid-2020 according to Katie Arrington OUSD(A&S).

The new CMMC standard is scheduled to be released in January, 2020. Core Business Solutions has extensive training already established for NIST 800-171 standard and will assist you in transitioning to the CMMC additional requirements.

The CMMC contains five levels, ranging from basic hygiene to state-of-the-art. Unlike NIST 800-171, the CMMC will not contain a self-attestation component. Every organization that does business with the Department of Defense will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime.

NIST 800-171 Standard for Protecting
Controlled Unclassified Information (CUI)

The NIST 800-171 standard was created to address the protection of Controlled Unclassified Information (CUI). As of 2016, the DFARS requires security controls to be implemented by both the contractor and the subcontractor levels based on the information security guidance in NIST Special Publication 800-171.

What is NIST SP 800-171? It is regarding protecting Controlled Unclassified Information in Nonfederal Systems and Orgranizations and provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

The NIST 800-171 document helps to clarify the role of defense contractors in data breach incidents and specifies security controls necessary to protect CUI handled or generated by private sector firms.

CUI Can Apply To:

  • Federal contract information
  • Controlled Unclassified Information (USG-wide)
  • Covered Defense Information (CDI)

Your responsibilities, when it comes to
protecting CUI are as follows:

  • Identify sensitive information marked as “CUI” and noted in solicitations and contract amendments.
  • Provide and maintain “adequate security” on all covered information systems (DFARS 252.204-7012, NIST SP 800-171).
  • Develop and maintain a documented System Security Plan (SSP) and Plan of Action and Milestones (POAM) to demonstrate compliance.
  • Submit your SSP and POAM with all proposals to demonstrate compliance (contract data requirements list).
  • Be prepared for on-site assessments of covered defense information systems by DCMA.
  • Periodically review and update SSP and POAM to maintain compliance. Keep in mind that your SSP and POAM will be evaluated by contracting activities (USG or prime contractor) to assess the risk of sharing CUI/CDI with contractor.  This can affect your ability to win or retain contracts with the federal government.
powered by BirdEye

Consulting Support for NIST 800-171 Compliance

Core Business Solutions has qualified NIST 800-171 consultants ready to help you achieve compliance. Support for the standards is available our Online and Onsite Consulting Programs. We also provide consulting support for companies seeking multiple standards (such as ISO 9001 and ISO 27001) through an Integrated Management System.

Our consultants translate the technical language of the standard into Plain English and make it as simple and effective for your organization as possible.

For more information about compliance, please call our consulting office at 866-354-0300, or email

Related standards

• See ISO 27001 for information security management systems

For more information on Cybersecurity please visit our articles page.

If you would like any additional information about our ISO certification consulting programs, or would like a quote for any of these options, please give us a call or send a quick email. We’re also glad to answer any ISO questions you may have.


Office hours: 8:00 AM – 5:00 PM Eastern Time

Phone: 866-354-0300