What Is the NIST Compliance Framework & CMMC?

NIST compliance provides security standards for businesses handling federal information, but how do you meet these compliance regulations?

What is NIST compliance? NIST compliance is the National Institute of Standards and Technology regulations required for anyone handling sensitive information for government agencies.

What Is NIST?

The National Institute of Standards and Technology is a nonregulatory body within the U.S. Department of Commerce that supplies standards and frameworks used by federal agencies and their partners to ensure sensible standards in IT infrastructure. 

The Federal Information Security Modernization Act of 2014, itself an amended version of the original FISMA law of 2002, was passed by Congress in order to define the rules and requirements for federal agencies (and contractors working with those agencies) related to managing data and securing IT systems. 

To support the efforts of the several regulatory organizations in charge of monitoring these agencies, NIST provides guidelines, requirements, and best practices over an entire landscape of security, risk management, and IT maintenance. 

Being “compliant” with NIST guidelines essentially means that your organization is complying with another set of requirements, of which NIST guidelines are the driving force. While there are some exceptions to this (for example, NIST 800-53), many compliance contexts will stem from highly specific situations related to different types of data and technology. 

In fact, NIST compliance overall can broadly be conceived as a cross section of three critical factors:

  • Types of Data: Compliance requirements will almost always apply to the types of data your organization will handle. NIST requirements will, under any circumstances, include guidance on different tiers of data sensitivity. 
  • Types of Technology: For the most part, NIST regulations can apply across technology and only change depending on the use (for example, protecting data in transit versus data at rest in a server). However, some technologies, like cloud infrastructure, will have dedicated compliance frameworks. 
  • Types of Service: Depending on the organization under consideration, regulations change. For example, a contractor handling sensitive data for an agency in the Department of Defense supply chain will have different requirements than a cloud service provider starting a contract with a nondefense federal agency.

Accordingly, maintaining NIST compliance for an organization will rely on understanding which NIST guidelines apply to the current context and technology.

What Are Common NIST Publications?

To support agencies and enterprises with regulatory requirements, NIST releases “Special Publications”, with each publication addressing a specific context, technology, or security need. Furthermore, many of these SPs are built around more robust expectations, like risk management or supply chain security. 

In terms of overall cybersecurity and IT protection, there are a few major special publications:

NIST SP 800-53

NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations,” is a significant component of almost all federal (and many state) security standards. Essentially, this document serves as a large inventory of security and privacy controls, organized into several control families that include the following:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel Security
  • PII Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management

Compliance with NIST 800-53 is often a prerequisite for other security frameworks in the federal space, including FedRAMP and FISMA.

NIST SP 800-63

NIST 800-63, “Digital Identity Guidelines,” defines guidelines for identity verification, authentication processes, and identity federation security. Generally speaking, these components will fall under three categories:

  • Identity Assurance Level (IAL): This defines requirements for government agencies and contractors who need to implement identity proofing processes, including live or virtual confirmation or official document proofing.
  • Authentication Assurance Level (AAL): This defines requirements for appropriate authentication levels, including necessary authentication types and technologies for single- and multi-factor authentication.
  • Federation Assurance Level (FAL): This defines required protocols and assertion types that may be used for compliant identity federation technologies. 

NIST SP 800-171

NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is a particular NIST document that applies to Controlled Unclassified Information. CUI relates specifically to contract work within the Department of Defense supply chain and represents data that, while unclassified, is deemed sufficiently sensitive enough to warrant protection. 

Much like NIST SP 800-53, NIST 800-171 provides a list of security controls across different families like access control, maintenance, or risk assessment. These controls are slightly different, however, due to a different application. 

NIST 800-171, and an expanded document of additional controls titled NIST SP 800-172, are the core of the Cybersecurity Maturity Model Certification.

Federal Information Processing Standards (FIPS) 140-3

FIPS 140, “Security Requirements for Cryptographic Modules,” defines the encryption and hashing algorithms acceptable for implementation in compliant systems. 

FIPS 199 and 200

FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems,” defines three individual impact levels that serve as categorization methods for data sensitivity and IT systems. 

The three impact levels are as follows:

  • Low: The system’s loss of confidentiality or integrity of data would have limited adverse effects, including an agency losing capabilities to accomplish its mission, minimal financial loss, or minor bodily harm.
  • Moderate: The loss of confidentiality or integrity of data in the system would seriously impact stakeholders, including serious degradation of an agency’s capabilities, significant harm to individuals or assets, and financial loss. 
  • High: The loss of confidentiality or integrity of data has a catastrophic effect on agencies and stakeholders, including the inability to operate, major or complete financial loss, and serious bodily harm, including loss of life. 

FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems,” draws from FIPS 199 and provides guidelines on applying impact levels across different types of systems. 

While there are hundreds of NIST documents, these are generally documents cited by other publications. Other documents will help agencies and contractors apply general security (the Cybersecurity Framework) and risk management (the Risk Management Framework) practices, secure healthcare systems, and cloud infrastructure (FedRAMP). 

What Is CMMC?

CMMC, mentioned earlier, is a security framework intended to protect CUI in DoD contractor systems. This information is not classified as Secret in any form, but it is considered mission critical and as such, should be protected from loss or corruption. 

To help contractors better address CUI security, the CMMC Authorization Board, as part of the DoD, manages the CMMC standard. This model organizes controls found in NIST SP 800-171 and NIST SP 800-172 as a path of “maturity,” where organizations can have different levels of sufficient security for different purposes. 

The latest version of this standard, dubbed CMMC 2.0, has a few overarching requirements:

  • Maturity Levels: CMMC 2.0 is organized into three maturity levels.
    • Level 1 calls for contractors to implement 17 controls from NIST 800-171. 
    • Level 2 calls for a complete implementation of all 110 controls found in NIST 800-171 and serves as the minimum level for an organization to handle CUI. 
    • Level 3 introduces select controls of NIST 800-172 on top of Level 2 requirements and stands as a broad category for contractors handling major security issues like advanced persistent threats. 
  • Third-Party Assessment: CMMC requires most organizations to undergo audits via certified third-party assessment organizations, all listed in a central directory called the C3PAO Marketplace. Level 1 (and select Level 2) contractors can waive the requirement for C3PAO audit in lieu of an annual self-assessment. 
  • Plan of Action and Milestones: Earlier versions of CMMC disallowed contingent certification—that is, at the time of audit, a company was either compliant or not. Version 2.0 allows organizations, under approval from the CMMC-AB, to provide a POA&M of corrective measures, including timelines for remediation, if it is deemed that they can feasibly become compliant within a specific time window. 

Maintaining Security and Compliance with 1Kosmos

These standards or regulations call for some form of identity management and authentication security, often using MFA and biometrics. Businesses working with federal or defense agencies must have a secure authentication platform that can provide security, accessibility, and reliability without compromising usability in your organization.

1Kosmos BlockID provides the following features:

  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification. Our ledger is immutable, secure, and private, so there are no databases to breach or honeypots for hackers to target.
  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Streamlined User Experience: The distributed ledger makes it easier for users to onboard digital IDs. It’s as simple as installing the app, providing biometric information and any required identity proofing documents, and entering any information required under ID creation. The blockchain allows users more control over their digital identity while making authentication much easier.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Interoperability: BlockID and its distributed ledger readily integrate with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.

Ready to learn more about 1Kosmos and how it can help you with your government-adjacent systems, read our datasheet on BlockID and NIST Compliance

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.