The NIST 800-53 and CMMC frameworks are closely related, with CMMC drawing heavily from NIST 800-171, which itself is a tailored subset of NIST 800-53. Mapping (crosswalking) between NIST 800-53 and CMMC is a common compliance task, especially for organizations working with the Department of Defense (DoD). The CyberStrong solution enables automated, real-time crosswalking between these frameworks, greatly simplifying this process for organizations.
Below is a sample crosswalk table that illustrates how controls from NIST 800-53 map to CMMC domains and practices. This is a high-level representation; a complete crosswalk would be much more granular.
|
NIST 800-53 Control Family |
Example NIST 800-53 Control |
CMMC Domain |
CMMC Practice (Level 2/3) |
|
Access Control (AC) |
AC-2: Account Management |
Access Control (AC) |
AC.L2-3.1.1: Limit system access |
|
Audit and Accountability (AU) |
AU-2: Audit Events |
Audit & Accountability (AU) |
AU.L2-3.3.1: Create and retain audit logs |
|
Awareness and Training (AT) |
AT-2: Security Awareness |
Awareness & Training (AT) |
AT.L2-3.2.1: Security awareness training |
|
Configuration Management (CM) |
CM-2: Baseline Configurations |
Configuration Management (CM) |
CM.L2-3.4.1: Establish configuration baselines |
|
Identification and Authentication (IA) |
IA-2: Identification & Authentication |
Identification & Authentication (IA) |
IA.L2-3.5.1: Identify and authenticate users |
|
Incident Response (IR) |
IR-2: Incident Response Training |
Incident Response (IR) |
IR.L2-3.6.1: Establish incident response capabilities |
|
Maintenance (MA) |
MA-2: Controlled Maintenance |
Maintenance (MA) |
MA.L2-3.7.1: Perform maintenance on systems |
|
Media Protection (MP) |
MP-2: Media Access |
Media Protection (MP) |
MP.L2-3.8.1: Protect CUI on media |
|
Personnel Security (PS) |
PS-2: Position Risk Designation |
Personnel Security (PS) |
PS.L2-3.9.1: Screen individuals prior to access |
|
Physical Protection (PE) |
PE-2: Physical Access Authorizations |
Physical Protection (PE) |
PE.L2-3.10.1: Limit physical access |
|
Risk Assessment (RA) |
RA-3: Risk Assessment |
Risk Management (RM) |
RM.L2-3.11.1: Periodically assess risk |
|
System and Communications Protection (SC) |
SC-7: Boundary Protection |
System & Communications Protection (SC) |
SC.L2-3.13.1: Monitor and control communications |
|
System and Information Integrity (SI) |
SI-2: Flaw Remediation |
System & Information Integrity (SI) |
SI.L2-3.14.1: Identify and correct flaws |
Dive into CyberStrong’s automated framework mapping capabilities with our crosswalking brief.
Read More: