NIST 800-171 and CMMC 2.0 Compliance Statement

Overview

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense (DoD) to ensure that contractors and other organizations that handle DoD information have appropriate cybersecurity controls in place. The CMMC framework includes a set of cybersecurity practices and processes that are organized into five maturity levels, with Level 1 representing the lowest level of maturity and Level 5 representing the highest.

CMMC Version 2.0, which was released in December 2021, is the latest version of the CMMC framework. It includes updates and enhancements to the previous version of the framework, including a new maturity level (Level 4) and additional requirements for supply chain risk management.

As an organization that handles DoD information, we are committed to compliance with the CMMC framework and to maintaining the highest level of cybersecurity controls. We understand the importance of protecting DoD information and the critical role that cybersecurity plays in supporting the mission of the DoD.

This page serves as a formal public declaration of our commitment to maintaining a robust cybersecurity program that meets the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. This commitment is central to our responsibility to protect sensitive information, particularly Controlled Unclassified Information (CUI).

Our Commitment to Data Security

Our organization is fully committed to upholding the rigorous security standards necessary for safeguarding Controlled Unclassified Information (CUI) and other sensitive data. We recognize the critical importance of this data, which is vital for maintaining the integrity, resilience, and security of the Defense Industrial Base (DIB) supply chain. As a trusted partner within the DIB ecosystem, we understand our profound responsibility to protect this information from unauthorized access, modification, or disclosure.

To meet this critical obligation, our comprehensive security strategy is built upon the robust framework of established government and industry standards, specifically centering on the requirements set forth in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and aligning with the tiered maturity levels of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This strategic foundation ensures that our security posture is not only compliant with current mandates but is also proactively designed to adapt to evolving cyber threats.

Our security program is meticulously engineered to ensure the absolute confidentiality, integrity, and availability of all data under our stewardship. This includes:

  • Confidentiality: Implementing strong access controls, encryption for data at rest and in transit, and robust processes to prevent unauthorized disclosure of CUI.
  • Integrity: Utilizing mechanisms to ensure the completeness, accuracy, and authenticity of data, preventing improper modification or destruction.
  • Availability: Maintaining resilient systems and developing comprehensive disaster recovery and business continuity plans to ensure reliable and timely access to operational data for authorized users.

We continuously monitor, audit, and refine our security controls to maintain a high level of assurance and compliance, demonstrating our unwavering commitment to the national security mission supported by the DIB.

CMMC 2.0, Level 2

Our organization is fully committed to the security and integrity of all Controlled Unclassified Information (CUI) we process, store, or transmit. To demonstrate this commitment and meet contractual and regulatory obligations within the Defense Industrial Base (DIB), we are proactively aligning our systems and processes with the stringent requirements for the Cybersecurity Maturity Model Certification (CMMC) 2.0, specifically targeting Level 2 (Advanced).

This Level 2 certification is the mandatory baseline for all non-federal entities that handle CUI. Achieving and maintaining this level necessitates the full and complete implementation of all 110 security requirements as outlined in the authoritative federal standard, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Our dedication extends beyond mere compliance; it is a foundational component of our operational security posture.

Our compliance readiness is a continuous, actively managed program, overseen by senior leadership and executed by our dedicated security and IT teams. This program includes the development, maintenance, and rigorous review of the following key documentation, which substantiates our adherence to the NIST 800-171 framework:

  • System Security Plan (SSP): A comprehensive document that details the CUI boundary, describes how each of the 110 NIST SP 800-171 requirements are met, and identifies the system components, network topology, and security policies in place to protect CUI.
  • Plan of Action and Milestones (POA&M): A living document used to track and manage any security requirements not yet fully implemented, detailing the necessary remediation actions, resources, and expected completion dates to achieve full compliance.
  • Security Policies and Procedures: A full set of organizational security policies and detailed operational procedures that guide staff actions, enforce security controls, and ensure consistency across all 14 families of NIST 800-171 requirements (e.g., Access Control, Configuration Management, Incident Response, etc.).
  • Evidence of Implementation/Artifacts: Documentation such as audit logs, configuration settings, training records, maintenance records, and testing results that serve as objective evidence demonstrating that the security controls are operating effectively as described in the SSP.
  • Self-Assessment/Gap Analysis Reports: Formal reports documenting the results of periodic internal assessments against the NIST 800-171 framework, identifying any compliance gaps and driving the updates to the POA&M.
Document Status
System Security Plan (SSP) Complete
Plan of Action and Milestones (POA&M) Ongoing
Formal Assessment Scheduled

 

NIST SP 800-171

Our comprehensive cybersecurity program is meticulously designed to fully incorporate and enforce all 110 security requirements mandated by NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." This rigorous adherence is the cornerstone of our commitment to safeguarding Controlled Unclassified Information (CUI) within our non-federal information systems and environments.

These 110 controls are strategically organized across 14 distinct security families, each addressing a critical area of information security to ensure robust, defense-in-depth protection. The security families we fully implement include:

  • Access Control (AC): Implementing policies and procedures to limit system and information access to authorized users, processes, and devices, including strong authentication and role-based access.
  • Awareness and Training (AT): Ensuring that all personnel with access to CUI are adequately trained on security policies and procedures and are aware of the residual risks associated with their activities.
  • Audit and Accountability (AU): Creating, protecting, and retaining system audit logs to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.
  • Configuration Management (CM): Establishing and maintaining baseline configurations and inventories of information system components and managing all changes to the system.
  • Identification and Authentication (IA): Verifying the identity of users, processes, or devices before allowing access to an information system.
  • Incident Response (IR): Developing and implementing a robust capability for preparing for, detecting, analyzing, containing, recovering from, and effectively responding to cyber security incidents.
  • Maintenance (MA): Performing timely and authorized maintenance on information system components.
  • Media Protection (MP): Protecting system media, both paper and digital, containing CUI, and limiting access to CUI on system media.
  • Physical Protection (PE): Securing the physical facility and the information system within it from unauthorized access, damage, and interference.
  • Personnel Security (PS): Implementing procedures to reduce the risk of insider threats and ensuring that personnel are screened and vetted as appropriate for their roles.
  • Risk Assessment (RA): Periodically assessing the security risks to the organizational operations, assets, and individuals, including the risks to CUI.
  • Security Assessment (CA): Periodically assessing the security controls in information systems to determine if they are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.
  • System and Communications Protection (SC): Monitoring, controlling, and protecting communications at the external boundaries and key internal boundaries of the information system.
  • System and Information Integrity (SI): Protecting against, detecting, and correcting flaws and errors in the information system, including malicious code protection and system monitoring.

Our complete compliance with NIST SP 800-171 serves as the foundational technical and procedural standard for achieving CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 2, which is the required compliance level for organizations handling CUI. This alignment demonstrates our commitment to the Federal Government's requirements for supply chain security and our capability to handle sensitive defense information responsibly and securely.

 

NIST/CMMC compliance

 

Key Compliance Activities

Our compliance program is structured around continuous monitoring and improvement in several critical areas, forming a robust and dynamic framework for safeguarding Controlled Unclassified Information (CUI) and maintaining adherence to both NIST SP 800-171 and CMMC 2.0 requirements. This framework is not a static checklist but an evolving commitment that ensures the confidentiality, integrity, and availability of sensitive data throughout its lifecycle.

The critical areas of focus include:

  1. System and Information Integrity: We employ advanced threat detection and prevention systems to proactively identify, isolate, and remediate vulnerabilities and malicious activity. This involves continuous monitoring of system logs, regular security patches and updates, and the strict use of anti-malware and intrusion prevention technologies to maintain the security of our infrastructure and data.

  2. Access Control and Least Privilege: Access to CUI is strictly controlled and granted only on a "need-to-know" basis. Our policies enforce the principle of least privilege, ensuring that personnel and processes have only the minimum access rights necessary to perform their authorized duties. This is managed through role-based access controls (RBAC), multi-factor authentication (MFA), and routine access reviews and revocation.

  3. Security Assessment and Continuous Monitoring: We conduct regular, comprehensive security assessments, including vulnerability scans and penetration tests, to identify potential weaknesses in our security posture. Our continuous monitoring program involves real-time surveillance of network traffic and system behavior, allowing for immediate response to security events and the timely adjustment of security controls to counter emerging threats.

  4. Configuration Management: All system components, from network devices to endpoints, are configured according to documented security baselines that align with NIST and CMMC requirements. We utilize automated tools to enforce these configurations, prevent unauthorized modifications, and ensure that new systems are deployed securely from the outset.

  5. Incident Response Planning and Testing: A well-defined Incident Response Plan (IRP) is in place, outlining clear procedures for the preparation, detection, analysis, containment, eradication, and recovery from security incidents. This plan is regularly tested through tabletop exercises and simulated breaches to ensure the readiness and effectiveness of our response team.

Security Awareness and Training: Our personnel are our first line of defense. We mandate continuous security awareness training and education tailored to their specific roles and responsibilities. This program covers current threats, proper handling of CUI, phishing recognition, and incident reporting procedures to cultivate a strong security-first culture.

This comprehensive approach guarantees that our security controls remain effective, relevant, and fully compliant with the ever-changing landscape of federal cybersecurity mandates.

Activity Area Focus Target Status
Access Control Implementing Multi-Factor Authentication (MFA) and least-privilege principles for all CUI access. Ongoing
Security Awareness Mandatory annual training for all personnel with CUI access. Ongoing
System Hardening Applying robust security configurations to all computing infrastructure. Complete
Physical Security Protecting the physical environment where CUI is stored and processed. Complete
Vulnerability Management Performing regular scans and patching to address identified security weaknesses. Ongoing

 

Questions regarding our compliance posture may be directed to our designated compliance officer via our Contact page. This Compliance Statement is subject to review and update on an annual basis.

For any questions or comments regarding our compliance efforts, please contact us at contact@nwengineeringllc.com or through the web form on our contact page. You may also use these methods to request compliance documentation from our manufacturing partners.

Quick Links and Compliance Statements

 


Ready to work with NWES?
Contact us today for a consultation.

Contact Us Today

Our Clients and Partners