search menu icon-carat-right cmu-wordmark

Beyond NIST SP 800-171: 20 Additional Practices in CMMC

Katie Stewart co-authored this blog post.

In November, defense contractors will be required to meet new security practices outlined in the Cybersecurity Maturity Model Certification (CMMC). As this post details, while the primary source of security practices in the CMMC is NIST Special Publication 800-171, the CMMC also includes 20 additional practices beyond 800-171 at levels 1-3. These 20 practices are intended to make DoD contractors more security conscious.

Supply chain attacks are increasing at an alarming rate, which has huge implications for the DoD. As we outlined in our initial post, the DoD's Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) sought the help of the SEI in developing the CMMC framework to protect the more than 300,000 contractors in the Defense Industrial Base (DIB). The approach would help DIB contractors secure controlled unclassified information (CUI), which is sensitive information that is not classified.

In a follow-up post, we discussed the maturity process that is integrated into CMMC, including how we built the CMMC by leveraging the SEI's prior work on Capability Maturity Model Integration (CMMI) and the CERT Resilience Management Model (CERT-RMM). In this post, we take a deeper dive into the 20 practices that go beyond NIST SP 800-171.

Tailoring NIST for a Well-Rounded Security Program

The security requirements in NIST SP 800-171 are grouped into two categories, basic and derived. NIST started with controls included in the 800-53 moderate baseline and then tailored them based on three categories:

  • Uniquely federal (i.e., primarily the responsibility of the federal government) (FED)
  • Not directly related to protecting the confidentiality of CUI (NCO)
  • Expected to be routinely satisfied by nonfederal organizations without specification (NFO)

We mention the tailoring of controls to explain why practices were added to the CMMC. In addition to protecting the confidentiality of CUI data, the DoD wanted a model that would change organizational behavior to be more security conscious. The CMMC meets these objectives by adding 20 practices to those included in NIST SP800-171 to ensure an organization is implementing a well-rounded security program and institutionalizing these practices through the implementation of process maturity, which was discussed in our last blog post.

These 20 practices were added at levels 2-3 across 9 of the 17 CMMC domains. Seven of these practices were added to CMMC Level 2 and 13 to Level 3.

These practices can be grouped into three categories. Let's take a closer look at each of these practices, moving through each group by level and then by domain.

Foundational practices to assist DIB companies in advancing their cybersecurity programs. The first category is fundamental practices that were added to the model to assist DIB companies with advancing their cybersecurity capabilities. These are fundamental, no-cost practices that provide stepping stones of technical progression within the model.

  • AU.2.044--Review audit logs. Multiple practices in 800-171 deal with capturing audit logs, but none specifically requires the review of audit logs, which is a foundational practice for auditing and accountability.
  • IR.2.093--Detect and report events. 800-171 has practices focusing on establishing an incident handling capability, but it does not specifically discuss the process to detect and report events. An event is any observable occurrence in a system and/or network. Because incidents typically start out as one or more events, the ability to detect and report events is foundationa­­l to an incident response capability.
  • IR.2.094--Analyze and triage events to support event resolution and incident declaration. Similar to IR.2.093 above, 800-171 focuses on establishing an incident response capability, but it does not specifically discuss event detection and analysis. Because incidents typically begin as one or more events, this practice is meant to ensure analyzing and triaging events is part of the incident response process.
  • IR.2.096--Develop and implement responses to declared incidents according to pre-defined procedures. When responding to incidents, the speed with which the response is implemented can have a big impact on containing the incident. Having pre-defined procedures to more common incidents can save time and help with response and closure activities.
  • AM.3.036--Define procedures for the handling of CUI data. The CMMC is fundamentally about the protection of data. NIST 800-171 has some requirements for the protection of CUI; however, these are often indirect. The Media Protection domain contains some elements of data handling but is not explicit enough. This practice was added to the model to ensure that procedures are in place for the handling of sensitive information. Other practices, such as those in the Media Protection domain, may be referenced in these procedures.
  • SC.3.193--Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forms, LinkedIn, Facebook, Twitter). Publicly accessible websites, such as blogs and social medial sites, can contain sensitive information that is often posted inadvertently. Establishing and implementing policies and procedures restricting these activities help everyone understand requirements for handling CUI data.

Practices that increase situational awareness to proactively identify and mitigate risks. These practices help organizations become more proactive in identifying and managing cyber risks to their organization. They also help build a foundation for levels 4 and 5, which entail a more enhanced detection and response capability.

  • IR.2.097--Perform root-cause analysis on incidents to determine underlying causes. The purpose of this practice is to determine the underlying causes of events or problems to prevent the issue from reoccurring. Root-cause analysis is not explicitly mentioned in NIST SP 800-171 or in the "Computer Security Incident Handling Guide," which 800-171 refers to.
  • AU.3.048--Collect audit information (e.g., logs) into one or more central repositories. Auditing should typically be a proactive activity. It is increasingly difficult to analyze, correlate, and review audit logs manually and maintain a full picture of the audit logs in the environment. Storing logs in a central repository helps automate the collection, analysis, and correlation of audit logs to assist with NIST SP 800-171 requirements 3.3.5 and 3.3.6.
  • RM.3.144--Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. Risk assessments provide an organization with awareness of current risks, before they are realized. This Level 3 practice extends the related Level 2 practice RM.2.141 - Periodically assess the risk to organizational operations by requiring that defined risk categories, identified sources of risk, and specific risk measurement criteria be included in the risk assessment. All of these are essential to a proper risk assessment.
  • CA.3.162--Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. This requirement deals specifically with assuring that internally developed software is free of defects and vulnerabilities and builds on NIST SP 800-171 3.13.2, Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems, by adding a security assessment requirement.
  • SA.3.169--Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders. This practice was added to highlight the importance of information sharing to a cybersecurity program as a way to ensure an organization maintains adequate situational awareness of the threats they face. This domain is about receiving, responding to, and disseminating cyber threat intelligence information, which is not present in NIST SP 800-171.

Practices that enhance protection and sustainment against common threats to the DIB, such as phishing, ransomware, and malware. These are targeted, high-value practices that provide additional protections above and beyond NIST SP 800-171, as well as sustainment activities that will enable organizations to recover from a cyber event.

  • RE.2.137--Regularly perform and test data backups. As mentioned, NIST SP 800-171 focuses on the confidentiality of CUI data. The ability to recover and restore data after an incident or disaster is also an important element of a robust cybersecurity program to combat ransomware attacks as well as unintentional incidents that may cause an organization to lose access to production systems and/or data.
  • SC.2.179--Use encrypted sessions for the management of network devices. The insecure management of network devices can lead to a compromise of the entire IT network. Other relevant 800-171 practices in this domain focus on secure network architecture and general encryption requirements, but they are not specific to the management of network devices.
  • RE.3.139--Regularly perform complete, comprehensive, and resilient data backups as organizationally defined. This practice expands on RE.2.137 - Regularly perform and test data backups by requiring that backups be complete (i.e., backups that are complete enough to restore a system) and comprehensive (i.e., all ally systems that are critical to ensuring service continuity), thereby ensuring an organization can restore the entire system if needed.
  • RM.3.147--Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk. Non-vendor-supported products are a common attack vector for malicious actors since they typically do not have available patches and updates. Managing these unsupported products separately is intended to add additional scrutiny and an extra layer of defense on potentially vulnerable software.

These next three practices address the threats organizations face through email, which NIST SP 800-171 does not address directly.

  • SI.3.218--Employ spam protection. Email is one of the main attack vectors for organizations today and spam is a common way for attackers to deliver viruses and other malware, such as ransomware.
  • SI.3.219--Implement email forgery protections. Email forgery occurs when an email header is spoofed, so the message appears to have originated with someone other than the actual sender. This is a very common tactic used in spamming, phishing, and spear phishing attacks, which are common in all organizations. A few possible implementations for this practice include implementing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
  • SI.3.220 - Utilize sandboxing to detect or block malicious email. Using sandboxing to detect or block malicious email is an effective mitigation to attacks that seek to exploit human behavior.
  • SC.3.192 - Implement Domain Name System (DNS) filtering services. DNS filtering is an effective mitigation against users visiting malicious, blacklisted, or potentially harmful websites that may host malware or be used for phishing. This practice, as with the others in this section, is meant to mitigate some of the more common threats that organizations face.

Wrapping Up and Looking Ahead

The 20 added practices within CMMC levels 1-3 enhance the overall security posture of organizations in the Defense Industrial Base. The practices provide organizations benefits above and beyond current cybersecurity requirements: a way to progress in capability, mechanisms to address specific and common threats, becoming more proactive in their cybersecurity capability, and the introduction of sustainment activities that can help organizations maintain operations in the event of disruption.

Additional Resources

The CMMC Model and accompanying DoD information is available for download at

View the SEI webpage CMMC--Securing the DIB Supply Chain.

Download the fact sheet, CMMC--Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process.

The DIB SCC CyberAssist site provides resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations and accountability for their supply chain.

About the Author