Articles

The CMMC Configuration Guides: NIST SP 800-128 and NIST 800-70

March 11, 2021

How do NIST SP 800-128 and NIST SP 800-70 fit into CMMC compliance?

As you start building out your CMMC compliance program, you might find yourself mired in the cross-referencing built into the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. For organizations looking to meet Level 2+ compliance, the deeply interconnected list of NIST publications can be frustrating. For example, NIST 800-171 references NIST SP 800-53. While both provide guidelines, the technical CMMC configuration guides are NIST SP 800-128 and NIST SP 800-70.

To understand where 800-128 and 800-70 fit into your CMMC compliance strategy, you need to know how the NIST Special Publications cross-reference one another.

In essence, CMMC references NIST 800-171, which references NIST 800-53, and NIST 800-128. NIST 800-53 further references NIST 800-128. NIST 800-128 relies on NIST 800-70 to set secure configurations.

In other words, NIST SP 800-128 and NIST SP 800-70 provide the technical foundation for creating a security-focused configuration management program. You can then use documentation of these controls to prove compliance with CMMC.

What is NIST SP 800-128?

NIST SP 800-128, “Guide for Security-Focused Configuration Management of Information Systems,” offers guidelines for meeting NIST SP 800-53’s “Configuration Management” control family. 800-128 consists of two parts: the fundamentals and the process.

In Section 2, “The Fundamental: Basic Concepts of Security Configuration Management,” NIST outlines the following:

Definitions and underlying principles
Phases of security-focused configuration management
Security-focused configuration management concepts

In Section 3, “The Process: Implementation and Application of Security-Focused Configuration of Management,” NIST outlines the following steps:

Planning at the organization and system levels
Identifying and implementing configurations
Controlling configuration change
Security-focused configuration management (SecCM) Monitoring
Using security content automation protocols

What is NIST SP 800-70?

NIST SP 800-70, “National Checklist Program for IT Products – Guidelines for Checklist Users and Developers,” recommends best practices for selecting checklists from the NIST National Checklist Repository, evaluating and testing checklist, and applying them to IT products.

Additionally, it defines a security configuration checklist, which can also be called a lockdown, hardening guide, or benchmark, as:

A series of instructions or procedures for configuring an IT product to a particular operational environment verifies that the product has been configured correctly; and identifies unauthorized changes to the product.

SP 800-70 contain four primary sections:

The NIST National Checklist Program: explaining what security configuration checklists are, benefits of using them, an overview of the program, and types of checklists
Operational Environments for Checklists: including standalone environments, managed environments, specialized security-limited functionality custom environments, legacy environments, and US government environments
Checklist Usage: providing recommendations for determining local requirements, browsing and retrieving checklists, applying checklists to IT products, and providing feedback on checklists
Checklist Development: giving visibility into how developers can create, test, and submit checklists and how NIST reviews and finalizes checklists

SteelCloud: Leveraging STIG Automation for Scalable CMMC Compliance

NIST 800-70 explains that the first place to look for configuration controls is NIST-produced checklists. However, it also points out that agency-produced checklists from the Defense Information Systems Agency (DISA) should be used where no NIST checklist exists.

If you’re looking to meet Level 2+ CMMC compliance, DISA Security Technical Implementation Guides (STIGs) are the security configuration checklists that meet Department of Defense (DoD) requirements. Each technology product that your environment uses will have a STIG associated with it. Getting compliant means implementing these secure configurations and maintaining them.

However, getting compliant can be a struggle. Often, the STIG for one technology breaks another one. Often, companies choose to set waivers, or exceptions, to these controls because finding a way to account for them becomes overwhelming.

Staying compliant is even more difficult. Every 90 days, DISA updates STIGs, meaning that you have to implement the changes and prevent additional downtime from conflicts.

SteelCloud automates STIG compliance, enforcement, and maintenance, reducing the amount of time it takes to get compliant and stay compliant. For more information about how we can help you meet your technical CMMC compliance requirements, contact us today.

Share This Resource:

ATO / Automated STIG Compliance / baseline security controls / CIS security benchmarks / CMMC / contractor information systems / cyber hardening / Defense Industrial Base / DIB / DoD / DoD STIGS / FIPS / NIST / NIST 800 - 128 / NIST 800-53 CMMC / NIST SP 800-171 / NIST SP 800-53 / Risk Management Framework / STIG compliance

NIST SP 800-53: CMMC’s Hidden Standard Prev post

SteelCloud Awarded Enterprise-Scale License from an Army Component for STIG Compliance Software Next post

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How do NIST SP 800-128 and NIST SP 800-70 fit into CMMC compliance?

What is NIST SP 800-128?

What is NIST SP 800-70?

SteelCloud: Leveraging STIG Automation for Scalable CMMC Compliance

Resource Library

Recent Resources

Featured Resources

Visual Guide to System Hardening and Automation

How to Harden Systems Easily and Affordably

VIDEO: How to Overcome Budget and Staff Cuts with Automation

What We Do

Company

Support