ISO/IEC 27001:2022 is an internationally recognized and widely adopted information security management system standard. Although the Department of War received several requests from industry during the Title 32 rulemaking process for CMMC to consider ISO/IEC 27001:2022 as an alternative to NIST SP 800-171, requests to alter the existing requirements defined in DFARS 252.204-7012 were considered outside the scope of the Final CMMC Rulemaking process.
ISO/IEC 27001:2022 is a broader set of controls that deliver a more holistic approach to protecting the confidentiality, availability, and integrity of an information system. NIST SP 800-171 is a tailoring of the NIST SP 800-53 moderate baseline with a more narrow focus on protecting the confidentiality of information within a non-federal system. The iteration of the standard still required under CMMC Level 2, assumed that non-federal organizations routinely satisfied significant aspects of the requirements not specified in the standard.
The online repository of informative references (OLIR) includes a number of conceptual mappings between various frameworks, standards, and requirements. Many of these publications are written by the various organizations responsible for maintaining these standards. This led to the development of a derived relationship analysis tool.
The idea is simple, instead of manually crosswalking the relationship between two reference concepts, you look for a focal set of concepts for which both reference concepts are mapped. In this exercise, we wanted to bridge the gap between ISO/IEC 27001:2022 and CMMC Level 2 assessment objectives. Since no authoritative reference exists, we looked for a focal document that could bridge these two publications. This led us to NIST SP 800-53 Revision 5.
Within the NIST Information Reference Catalog, you can find a crosswalk between ISO/IEC 27001:2022 and NIST SP 800-53 Rev 5 controls. This crosswalk was developed by NIST, so it is very thorough and a great reference for translating ISO/IEC 27001:2022 controls to NIST SP 800-53. This document was the first authoritative reference used to create the derived relationship mapping.
When NIST SP 800-171 Rev 2 was introduced, it was a tailoring of the moderate baseline of SP 800-53 Rev 4. A mapping table was provided in the back of the publication within Table D. You may notice that this mapping table also included controls from ISO/IEC 27001:2013.
We identified several concerns using this mapping table to accomplish our goal of mapping the assessment objectives to ISO 27001:2022. First, the mappings were done at a very high level, with one or more NIST SP 800-171 security requirements related to one or more NIST SP 800-53 or ISO/IEC 27001 controls. If we wanted to use NIST SP 800-53 Rev 5 as the focal document to bridge CMMC Level 2 and ISO/IEC 27001, we needed a mapping to that updated version of the publication. Similarly, if we take the mappings provided to ISO/IEC 27001:2013, we would have to update them to the newer version of the publication.
Given the constraints of Table D, we recently released an updated mapping of NIST SP 800-171 Rev 2 assessment objectives and NIST SP 800-53 Rev 5 control parts. This was done largely to support crosswalking FedRAMP Customer Responsibility Matrices into CMMC assessment objectives. Instead of mapping all the way down to NIST SP 800-53 Rev 5 assessment objectives, we mapped down to the control parts of NIST SP 800-53.
This gave us the granularity to see what parts of the SP 800-53 Rev 5 controls were relevant to each assessment objective within CMMC Level 2 without the added noise of overbearing objectives. We called this publication the CMMC Rosetta Stone because it allows for greater translation of CMMC requirements. This became the second reference used to create the derived relationship mapping.
To create the derived relationship mapping, we consolidated all relationships from the reference publications (CMMC Level 2 and ISO/IEC 27001:2022) for each relevant NIST SP 800-53 Rev 5 control or control part. We joined the potential mappings and flattened the table to assess the results. We trained the embedded Gemini agent with Google Sheets on assessing the type and strength of each potential relationship according to the guidance from NIST IR 8477.
We then asked Gemini to narrate their justification for the relationship type and strength. We added in the assessment objectives that did not contain derived relationships to ISO/IEC 27001 controls for better visibility into the gaps not addressable through ISO/IEC controls.
The ISO/IEC 27001 overlap with CMMC Level 2 is but a single thread within a larger initiative we are undertaking called the Framework Web. While much work has been done to create an underlying consolidated control framework (Unified Control Framework, HITRUST, Secure Control Framework), we find gaps in this approach. When a control is written to satisfy requirements that are outside of the scope of the system, inevitably a one-sized fits all approach creates inefficiency.
The Risk Management Framework describes a process by which organizations identify their relevant requirements, which can include security or privacy obligations imposed on organizations or a set of stakeholder protection needs for a particular system or organization. Controls, on the other hand, are the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives.
If the only requirements the organization is working to satisfy are CMMC Level 2 and ISO/IEC 27001:2022, then using a unified control framework may not be more efficient. The NIST initiative to publish informative references and a derived relationship mapping tool demonstrate the need for practitioners to translate controls and requirements from various publications. With exhaustive control catalogs (e.g. NIST SP 800-53) well mapped to other control frameworks, it’s more efficient to bridge the gaps that exist than to boil the ocean.
With the K2 GRC platform, users can leverage informative references between control catalogs to identify work done under one control that is relevant to another. The image below shows a user documenting the implementation of AC-02d.01 from NIST SP 800-53 Rev 5. This objective requires organizations to specify authorized users of the system. Note that on the right of the input screen the relevant sections of the organization’s policies are displayed.
This enables the author of the System Security Plan (SSP) to easily cite relevant sections of policies that govern this control objective. The narrative provided in the Control Process text box will populate under the control objective AC-02d.01 within the NIST SP 800-53 Rev 5 SSP.
We can also see that below the policy statement references are related informative references. Once a related control is documented as met, the implementation statement relevant to the related objective is displayed and can be easily copied and pasted, then modified as needed to satisfy the unique requirements of the related objective. For example, after documenting AC-02d.01 if we navigate to AC.L2-3.1.1 we can copy our narrative and amend it as required.
The primary advantage of informative references is allowing the practitioner to reuse relevant implementation statements from one control for another. This is especially valuable when the control catalog requires the users to address how the control is implemented using a narrative for each assessment objective within a system security plan. This workflow also enables users to reuse relevant artifacts between controls.
Relying on static framework crosswalks is no longer viable in today's multi-regulation compliance environment. As the CMMC rulemaking process proved, security standards will remain distinct, and defense contractors must find smarter ways to bridge the gaps between them. Fusing frameworks into a single unified catalog often creates sweeping structural inefficiencies; instead, organizations should focus on targeted, granular cross-framework documentation. Our deep dive utilizing the NIST derived relationship technique demonstrates exactly how to navigate this landscape.
We've mapped a path that shaves half a year of full-time engineering off your audit preparation. Don't let your valuable compliance artifacts go to waste. With the K2 GRC platform, you can intelligently leverage informative references to reuse your historical control narratives and eliminate duplicate work across your entire compliance ecosystem.
