If I have an ISO 9001, AS9100, or ISO 27001 certification do I need CMMC?

It depends. If your business is ISO 9001, AS9100 certified, or both, you already know the benefits of these international gold standards. Nonetheless, you may still need to comply with NIST SP 800-171. The differentiator is whether your business handles Controlled Unclassified Information (CUI). Neither ISO 9001 nor AS9100 incorporate guidelines for protecting CUI data belonging to the U.S. Department of Defense (DOD). And, while ISO 27001 covers cybersecurity best practices, there are still gaps required in NIST SP 800-171 unique to the DOD.

Are ISO 9001, AS 9100, ISO 27001, and NIST SP 800-171 interchangeable?

Late last year, I started to receive questions about whether ISO 9001, AS9100, ISO 27001, and NIST/CMMC certifications are interchangeable. The short answer is no.

What makes NIST SP 800-171 and ISO 27001 different?

ISO 27001 is designed to provide industry cybersecurity best practices across an entire organization’s digital environment. It’s focused on protecting the confidentiality, integrity, and availability of the organization’s data. NIST SP 800-171 is solely focused on protecting the confidentiality of the DOD’s CUI. Essentially, ISO 27001 is meant to protect all data within an organization whereas NIST SP 800-171 recommends segmenting and isolating the CUI from the rest of the organization’s networks and data storage.

If you are a defense contractor, do you need ISO 9001, AS9100, or ISO 27001?

The reverse side of the initial question is, if you must comply with NIST SP 800-171 as a defense contractor or subcontractor, should you pursue compliance with the other certification standards? Defense contractors and their subcontractors handling CUI are required to comply with NIST SP 800-171 and CMMC assessments, when the CMMC rule is finalized. Achieving NIST compliance takes an average of 12 to 18 months. The idea of adding other certifications to your journey likely seems daunting.

However, there’s much commonality between these standards. If you’re already ISO 27001 certified, you may find you have completed the majority of NIST SP 800-171, as well as ISO 9001 and AS9100. With a coordinated approach, it’s possible to achieve compliance on several planes without exorbitantly increasing your time, workload, and resources. Working with a company that’s an ISO certification body and an accredited CMMC Third Party Assessor Organization (C3PAO) enhances your ability to achieve this multifaceted goal.

What if you don’t handle CUI?

If your company doesn’t handle CUI and your contract doesn’t contain the DFARS clauses 252.204-7012, -7019, -7020, or -7021 you may not be required to comply with NIST SP 800-171. In that case, ISO 9001 and AS9100 establish internationally recognized quality management within the company and ISO 27001 brings confidence in providing information security for your client and your company’s information. If you aren’t sure if you handle CUI contact your contracting officer or government program manager.

If you still have questions or would like to learn more, schedule a meeting with me at a time convenient to you.

Hopefully this helps clarify the difference and commonality between these standards. They’re all valuable, but not all are mandatory. What you need and the benefits of each depend on your specific business and customer requirements.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division. https://www.smithers.com