The CMMC Configuration Guides: NIST SP 800-128 and NIST 800-70

How do NIST SP 800-128 and NIST SP 800-70 fit into CMMC compliance?

As you start building out your CMMC compliance program, you might find yourself mired in the cross-referencing built into the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. For organizations looking to meet Level 1 or Level 3 compliance, the deeply interconnected list of NIST publications can be frustrating. For example, NIST 800-171 references NIST SP 800-53. While both provide guidelines, the technical CMMC configuration guides are NIST SP 800-128 and NIST SP 800-70.

To understand where 800-128 and 800-70 fit into your CMMC compliance strategy, you need to know how the NIST Special Publications cross-reference one another.

In essence, CMMC references NIST 800-171, which references NIST 800-53, and NIST 800-128. NIST 800-53 further references NIST 800-128. NIST 800-128 relies on NIST 800-70 to set secure configurations.

In other words, NIST SP 800-128 and NIST SP 800-70 provide the technical foundation for creating a security-focused configuration management program. You can then use documentation of these controls to prove compliance with CMMC.

What is NIST SP 800-128?

NIST SP 800-128, “Guide for Security-Focused Configuration Management of Information Systems,” offers guidelines for meeting NIST SP 800-53’s “Configuration Management” control family. 800-128 consists of two parts: the fundamentals and the process.

In Section 2, “The Fundamental: Basic Concepts of Security Configuration Management,” NIST outlines the following:

• Definitions and underlying principles
• Phases of security-focused configuration management
• Security-focused configuration management concepts

In Section 3, “The Process: Implementation and Application of Security-Focused Configuration of Management,” NIST outlines the following steps:

• Planning at the organization and system levels
• Identifying and implementing configurations
• Controlling configuration change
• Security-focused configuration management (SecCM) Monitoring
• Using security content automation protocols

What is NIST SP 800-70?

NIST SP 800-70, “National Checklist Program for IT Products – Guidelines for Checklist Users and Developers,” recommends best practices for selecting checklists from the NIST National Checklist Repository, evaluating and testing checklist, and applying them to IT products.

Additionally, it defines a security configuration checklist, which can also be called a lockdown, hardening guide, or benchmark, as:

A series of instructions or procedures for configuring an IT product to a particular operational environment verifies that the product has been configured correctly; and identifies unauthorized changes to the product.

SP 800-70 contain four primary sections:

• The NIST National Checklist Program: explaining what security configuration checklists are, benefits of using them, an overview of the program, and types of checklists
• Operational Environments for Checklists: including standalone environments, managed environments, specialized security-limited functionality custom environments, legacy environments, and US government environments
• Checklist Usage: providing recommendations for determining local requirements, browsing and retrieving checklists, applying checklists to IT products, and providing feedback on checklists
• Checklist Development: giving visibility into how developers can create, test, and submit checklists and how NIST reviews and finalizes checklists

SteelCloud: Leveraging STIG Automation for Scalable CMMC Compliance

NIST 800-70 explains that the first place to look for configuration controls is NIST-produced checklists. However, it also points out that agency-produced checklists from the Defense Information Systems Agency (DISA) should be used where no NIST checklist exists.

If you’re looking to meet Level 1 or Level 3 CMMC compliance, DISA Security Technical Implementation Guides (STIGs) are the security configuration checklists that meet Department of Defense (DoD) requirements. Each technology product that your environment uses will have a STIG associated with it. Getting compliant means implementing these secure configurations and maintaining them.

However, getting compliant can be a struggle. Often, the STIG for one technology breaks another one. Often, companies choose to set waivers, or exceptions, to these controls because finding a way to account for them becomes overwhelming.

Staying compliant is even more difficult. Every 90 days, DISA updates STIGs, meaning that you have to implement the changes and prevent additional downtime from conflicts.

SteelCloud automates STIG compliance, enforcement, and maintenance, reducing the amount of time it takes to get compliant and stay compliant. For more information about how we can help you meet your technical CMMC compliance requirements, contact us today.