NextLabs helps organizations meet the various security requirements of the National Institute of Standards and Technology (NIST). In particular, NIST has published several documents, each of which focusing on a different facet of security. NextLabs addresses many of the requirements of these publications and are noted below.
NIST SP 800-53 REVISION 4
This document details a framework to protect an organization and its assets from a range of threats, including cyberattacks, insider threats, application security, supply chain risks, and human error, among others. NextLabs helps organizations meet various access control requirements, including enforcement of least privilege / need-to-know, dynamic privilege management, and usage controls on features such as Edit, Print, Reshare, and Extract.
NIST SP 800-171
This document sets forth the minimum security standards for all Department of Defense contractors that process, store, or transmit Controlled Unclassified Information (CUI). NextLabs helps organizations safeguard information that resides in or transits through covered contractor information systems and the reporting of cyber incidents.
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Capability Maturity Model (CMMC) certification is the US Government’s solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.
One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher-levels of CMMC that include requirements from frameworks other than NIST SP 800-171.
CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.
CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.
CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.
CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:
- CERT RMM v1.2
- NIST SP 800-53
- NIST SP 800-172
- ISO 27002
- CIS CSC 7.1
- Unattributed “CMMC” references that are not attributed to existing frameworks.