CMMC vs NIST 800-171: Key Differences Defense Contractors Must Understand

CMMC vs NIST 800-171: Key Differences Defense Contractors Must Understand

CMMC and NIST 800-171 are related but different. NIST defines 110 security controls. CMMC verifies you implemented them. Learn where they overlap, where they diverge, and what it means for your compliance program.

Deep Fathom
CMMC

Defense contractors hear both terms constantly. CMMC and NIST 800-171 show up in contracts, solicitations, and conversations with compliance advisors. They’re related, but they’re not the same thing, and confusing them creates real problems in how organizations plan and execute their compliance programs.

Here’s the distinction, stated plainly: NIST 800-171 tells you what to implement. CMMC tells you how you prove it.

Getting this relationship right matters because it determines how you structure your compliance program, where you invest your time and money, and how you prepare for the assessments that are now required to keep your DoD contracts.

What Is NIST 800-171?

NIST SP 800-171, published by the National Institute of Standards and Technology, defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. It was first released in 2015 and has been the contractual requirement for defense contractors since 2017, when DFARS clause 252.204-7012 made implementation mandatory for any contractor handling CUI.

The framework is structured around protecting information that isn’t classified but still requires safeguarding, things like technical drawings, test data, procurement specifications, and personnel records associated with defense programs.

The 110 Controls Across 14 Families

The 110 security requirements are organized across 14 control families:

  1. Access Control (22 requirements). Who can access what, and under what conditions
  2. Awareness and Training (3). Security education for personnel
  3. Audit and Accountability (9). Logging and monitoring system activity
  4. Configuration Management (9). Maintaining secure system configurations
  5. Identification and Authentication (11). Verifying user and device identities
  6. Incident Response (3). Detecting, reporting, and responding to security events
  7. Maintenance (6). Keeping systems maintained securely
  8. Media Protection (9). Protecting CUI on physical and digital media
  9. Personnel Security (2). Screening and managing personnel access
  10. Physical Protection (6). Securing physical facilities and equipment
  11. Risk Assessment (3). Identifying and evaluating security risks
  12. Security Assessment (4). Evaluating the effectiveness of security controls
  13. System and Communications Protection (16). Securing communications and system boundaries
  14. System and Information Integrity (7). Detecting flaws and maintaining system integrity

Each requirement maps to assessment objectives defined in the companion document, NIST SP 800-171A. There are 320 assessment objectives across the 110 requirements. This is the level of granularity that assessors evaluate. A single control like AC.L2-3.1.1 (Limit system access to authorized users) has multiple determination statements that must each be satisfied for the control to be considered fully implemented.

What NIST 800-171 Is and What It Isn’t

NIST 800-171 is a security standard. It defines requirements. It does not certify compliance.

Before CMMC existed, the compliance model was straightforward: implement the 110 controls, self-assess your compliance, calculate a score out of 110, and submit that score to the Supplier Performance Risk System (SPRS). Contracting officers could see your score and use it to evaluate risk. But nobody independently verified whether the score was accurate.

That model relied on trust. The trust was misplaced. Multiple DoD reviews and industry studies found that contractors routinely overreported their SPRS scores. Some organizations claimed full compliance while running security programs that wouldn’t withstand a basic technical review. The gap between reported scores and actual security posture was the driving force behind creating CMMC.

In readiness reviews we’ve conducted, organizations that scored themselves at 90+ on their SPRS self-assessment routinely scored 20 to 30 points lower when evaluated against the full 320 assessment objectives by an independent reviewer.

That gap is not unusual. It’s the norm.

NIST 800-171 Revision 2 vs Revision 3

This is a point of active confusion in the market, and getting it wrong has real consequences.

Per the published Rev 3 document, NIST released Revision 3 of SP 800-171 in May 2024. The update is significant:

  • Requirements consolidated from 110 to 97
  • Three new control families added (Planning, System and Services Acquisition, Supply Chain Risk Management)
  • 88 organizationally defined parameters (ODPs) introduced, allowing organizations to tailor certain control values
  • Assessment objectives increased from 320 to 422
  • Closer alignment with NIST 800-53, the parent control catalog used by federal agencies

Here’s what you need to know right now: CMMC Level 2 still references Revision 2. The DoD issued Class Deviation 2024-O0013, which mandates that contractors continue using Rev 2 for all DFARS 252.204-7012 compliance. Every C3PAO assessment benchmarks against the 110 Rev 2 controls and 320 Rev 2 assessment objectives.

Revision 3 is coming for CMMC, but the transition timeline hasn’t been published. The DoD must go through a formal rulemaking process to update the CMMC reference from Rev 2 to Rev 3. Industry consensus suggests this is 2-3 years away.

The right posture: Maintain full NIST 800-171 Rev 2 compliance. Begin mapping Rev 3 changes to understand what’s new and what consolidated. Do not shift your primary compliance program to Rev 3 until the DoD formally requires it. Contractors who align only to Rev 3 today risk showing unmet requirements against the Rev 2 controls that assessors actually evaluate.

What Is CMMC?

The Cybersecurity Maturity Model Certification is the DoD’s program for confirming that contractors actually meet the cybersecurity requirements they claim to meet. It was created because self-attestation under DFARS 7012 failed to produce reliable compliance across the defense industrial base.

CMMC doesn’t introduce new security controls at Level 2. The 110 requirements are the same ones from NIST 800-171 Rev 2. What CMMC adds is not a new set of Level 2 controls, but the verification model, assessment types, certification status logic, and POA&M and affirmation rules around those same requirements:

  • Defined assessment methods with standardized scoring
  • Accredited third-party assessors (C3PAOs) who conduct independent reviews
  • Formal certification statuses (Conditional and Final) that contracting officers can verify
  • POA&M constraints with 180-day closure deadlines and control-level exclusions
  • Annual affirmation requirements between triennial reassessments
  • Contract eligibility gating where no certification means no award

Before CMMC vs After CMMC

The shift is fundamental. Here’s how the compliance model changed:

Before CMMC (DFARS 7012 self-attestation):

  1. Contractor self-assesses against NIST 800-171
  2. Contractor calculates and submits SPRS score
  3. Contractor signs affirmation that the score is accurate
  4. Nobody independently verifies unless DIBCAC selects you for a review
  5. Enforcement is selective, inconsistent, and reactive

After CMMC (for most CUI contracts):

  1. Contractor implements NIST 800-171 controls
  2. Contractor prepares SSP, POA&M, and evidence artifacts
  3. Accredited C3PAO conducts an independent assessment
  4. C3PAO evaluates all 110 controls against 320 assessment objectives
  5. Contractor achieves Conditional or Final certification
  6. Contractor submits annual affirmation and undergoes triennial reassessment
  7. Certification status is visible to contracting officers and required for award

The compliance standard didn’t change. The accountability did.

Where NIST 800-171 and CMMC Overlap

The overlap is complete at the Level 2 requirement level. CMMC Level 2 uses the same 110 security requirements as NIST SP 800-171 Rev 2. There is no separate Level 2 control set. If you’re implementing the 110 NIST 800-171 requirements, you’re implementing the substantive security requirements that CMMC Level 2 evaluates.

But CMMC adds the assessment, scoring, affirmation, POA&M, and certification framework around those same requirements. Implementing the 110 requirements is the right technical foundation, but it is not the whole of being CMMC-compliant or CMMC-certified.

This has practical implications:

  • Your SSP works for both. Every System Security Plan written for NIST 800-171 compliance feeds directly into your CMMC assessment. You don’t need a separate CMMC version.
  • Controls count once. Every control you implement satisfies both the DFARS 7012 requirement and the CMMC Level 2 requirement simultaneously. No duplicate work.
  • Your SPRS score remains part of the record. SPRS remains relevant because affirmations and current CMMC status are reflected there. However, Level 2 C3PAO assessment results are entered into CMMC eMASS, not SPRS. Your NIST 800-171 self-assessment score in SPRS serves as a baseline, but don’t conflate it with your CMMC certification status.
  • Evidence is shared. The artifacts you collect for NIST 800-171 compliance are the same artifacts a C3PAO reviews during a CMMC assessment. One evidence repository serves both purposes.

If you’ve been doing NIST 800-171 compliance properly, meaning actual control implementation with documented evidence and a current SSP that reflects your real environment, you have a strong foundation for CMMC certification. The gap is usually in evidence quality, documentation currency, and self-assessment rigor, not in the controls themselves.

Where NIST 800-171 and CMMC Differ

Despite the shared control set, the differences between these two frameworks are significant enough to change how you budget and execute.

Verification Method

NIST 800-171: Self-assessment. You evaluate your own compliance, calculate your own score, and submit it to SPRS. DIBCAC can audit you under DFARS 7020, but audits are selective, not universal. Most contractors never face an external review of their self-reported score.

CMMC Level 2: For most CUI contracts, a C3PAO conducts an independent assessment. The assessor team reviews your documentation, interviews your staff, examines your evidence, and tests your technical controls. They determine whether each control is MET or NOT MET. You don’t grade your own paper.

This is the single biggest difference between the two frameworks. Self-assessment allows optimism. Independent assessment does not.

Among contractors we’ve supported through C3PAO preparation, the most common gap isn’t a missing control — it’s a control that exists on paper but can’t be demonstrated with current evidence.

Scoring and Certification

NIST 800-171: Scored on a 110-point scale. You start at 110 and subtract weighted points for each unimplemented requirement. Requirements are weighted at 1, 3, or 5 points based on their NIST classification as Basic or Derived Security Requirements. Your score can go negative if enough requirements are missing. The score is informational, meaning contracting officers see it, but there’s no pass/fail threshold defined in the regulation.

CMMC Level 2: Uses a 110-point weighted scoring model. Security requirements are weighted at 1, 3, or 5 points each, based on their classification as Basic or Derived Security Requirements. Two requirements (MFA and FIPS-validated encryption) allow partial credit. Conditional status requires achieving at least 80% of the maximum score, with only permissible NOT MET requirements on a POA&M. Requirements excluded from POA&M eligibility must be fully implemented at assessment time. A single 5-point requirement NOT MET has a much larger impact than a 1-point requirement, so the weighted scoring demands careful prioritization.

That distinction matters more than most contractors realize.

Consequences of Non-Compliance

Under CMMC, non-compliance means ineligibility for contract award. This is binary and immediate — contracting officers will not award to an offeror who doesn’t hold the required CMMC level, and there’s no “we’re almost done” status that satisfies the requirement. The enforcement mechanism is the acquisition process itself, which makes it far more systematic than what existed before. Under NIST 800-171 alone, non-compliance technically constitutes a breach of the DFARS 7012 contract requirement, and the Department of Justice has pursued False Claims Act cases against contractors who misrepresented their compliance status — Georgia Tech, Penn State, and others have faced enforcement actions. But prosecution has been selective, and many non-compliant contractors operated without consequence for years. CMMC replaces that selective enforcement with a gatekeeping function: either you hold the certification or you don’t compete.

Continuous Compliance Requirements

NIST 800-171: No formal continuous compliance mechanism beyond maintaining the accuracy of your SPRS score. In practice, most contractors submit a score and don’t update it until a contract renewal or a DIBCAC review forces the issue. Scores drift because environments change and documentation goes stale. The framework assumes ongoing compliance, but doesn’t enforce it.

CMMC: Certification is valid for three years, with annual affirmation required. Each year, a senior official must sign a statement confirming that the organization still meets the certified level. This affirmation carries legal weight. If your environment has changed materially and you haven’t maintained your controls, signing the affirmation creates personal and organizational liability. The DoD also retains the right to conduct additional assessments under DFARS 7020 at any time, regardless of your certification status.

Supply Chain Flow-Down

Both NIST 800-171 (through DFARS 7012) and CMMC require contractors to flow down compliance requirements to subcontractors who handle CUI. The difference is in enforcement. Under the self-attestation model, many primes requested an SPRS score from subs and left it at that, without independently verifying whether the score reflected reality. CMMC changes the calculus: prime contractors who award work to subcontractors must ensure those subs hold the required CMMC level, and awarding work to a non-compliant subcontractor puts the prime’s own contract at risk. This creates real supply chain accountability because the prime’s eligibility depends on their subs’ certification status.

Assessment Cost and Effort

NIST 800-171: Self-assessment is essentially free in direct cost, though the effort to do it honestly is substantial. Many organizations spend $10,000-$30,000 on consultant-assisted self-assessments.

CMMC Level 2: C3PAO assessment fees range from $31,000 to over $150,000 depending on scope and complexity. Total preparation costs, including remediation, tools, and documentation, can range from $50,000 to $300,000. The investment is significantly higher than self-assessment, but the output, verified third-party certification, carries contractual weight that self-reported scores never did.

Side-by-Side Comparison

DimensionNIST 800-171CMMC Level 2
TypeSecurity standard (guidelines)Certification program (verification)
AuthorityNIST (Department of Commerce)DoD (OUSD A&S)
Requirements110 controls, 14 familiesSame 110 controls (mapped from NIST 800-171 Rev 2)
Assessment methodSelf-assessmentC3PAO third-party assessment (most CUI contracts)
Scoring110-point scale (can go negative)110-point weighted scoring model. Conditional status requires at least 80% of the maximum score, with only permissible NOT MET requirements on a POA&M
CertificationNo certification. Score submitted to SPRS.Formal certification with Conditional/Final status
POA&MAllowed without constraintsAllowed with limits. 180-day close. Some controls excluded.
Validity periodOngoing (maintain SPRS accuracy)3 years with annual affirmation
Non-complianceContract breach, potential False Claims ActIneligible for contract award
Current revisionRev 2 required, Rev 3 published but not adoptedReferences NIST 800-171 Rev 2
EnforcementSelective (DIBCAC reviews under DFARS 7020)Systematic (required for contract eligibility)
Assessment costLow (self-directed)$31,000-$150,000+ for C3PAO assessment alone
Flow-downRequired but loosely enforcedRequired and tied to prime eligibility

Want to see how your current NIST 800-171 compliance maps to CMMC readiness? Check your readiness in minutes.

Which One Do I Need to Focus On?

Both. They are not alternatives. They are layers of the same compliance obligation.

NIST 800-171 is the foundation. It defines the security controls you must implement. You’ve been contractually required to meet these controls since 2017 under DFARS 7012. That requirement hasn’t gone away. It exists independently of CMMC.

CMMC is the verification layer. It proves to the DoD, and to the primes who need to verify their supply chain, that you’ve actually done what NIST 800-171 requires.

Starting CMMC preparation without a solid NIST 800-171 implementation is like studying for a test without learning the material. Your compliance program should be built on NIST 800-171 as the security baseline, with CMMC as the assessment and certification framework that validates it. The work is the same. The accountability is what changed.

Common Mistakes When Navigating CMMC and NIST 800-171

Running parallel compliance programs. Some organizations treat CMMC and NIST 800-171 as separate initiatives with different teams, different documentation, and different timelines. They share the same control set at Level 2. One program, one SSP, one evidence repository.

Jumping to Rev 3 prematurely. NIST 800-171 Rev 3 is published and represents the future direction. But CMMC assessments benchmark against Rev 2 today. Aligning solely to Rev 3 leaves gaps in the Rev 2 controls that assessors evaluate. Maintain Rev 2 compliance while mapping Rev 3 differences.

Trusting your SPRS score. Most contractors who self-assessed under the NIST 800-171 scoring methodology overscored. If your SPRS score is high but you haven’t had an independent review, treat it as a starting point, not a reliable measure of readiness. We’ve reviewed SPRS submissions where organizations scored 95 but couldn’t produce assessment-ready evidence for a significant share of their claimed MET controls. Run a rigorous gap assessment before committing to a C3PAO timeline.

Ignoring the assessment objectives. Many organizations work at the control level (110 items) instead of the assessment objective level (320 items). Assessors evaluate at the objective level. A control with four objectives where three are met and one is not will score as NOT MET. Understanding the objectives is the difference between thinking you’re ready and actually being ready.

Overlooking your MSP in the compliance boundary. If your managed service provider touches CUI or Security Protection Data, their environment is part of your CMMC assessment scope. Their security posture affects your certification outcome. Define responsibilities through a customer responsibility matrix (CRM) before your assessment, not during it.

Waiting for solicitations to require CMMC before acting. CMMC preparation takes 6 to 18 months. If you wait until a solicitation drops with a CMMC Level 2 requirement, you’re already too late to compete for that award. The contractors winning work are the ones who certified before the requirement appeared.

How Your Existing NIST 800-171 Work Feeds Into CMMC

If you’ve been maintaining a NIST 800-171 compliance program, you’re not starting from zero. Here’s how your existing work maps to CMMC preparation:

Your SSP becomes your CMMC assessment anchor. The System Security Plan you built for NIST 800-171 is the same document a C3PAO reviews. Update it to reflect your current environment, ensure it covers all 110 controls with implementation-specific detail, and verify that it’s consistent with your actual network architecture and data flows.

Your SPRS score identifies your gap. Your current score tells you how many controls aren’t fully implemented. That gap becomes your remediation roadmap. Focus first on controls that are NOT MET and not eligible for POA&M under CMMC rules.

Your existing evidence needs a freshness check. Evidence collected for NIST 800-171 compliance is valid for CMMC, but only if it’s current. Configuration screenshots from last year don’t prove current-state compliance. Establish a process for evidence refresh, or build a system that captures evidence continuously.

Your training and awareness program carries forward. Security awareness training records, incident response exercises, and personnel screening documentation all serve both NIST 800-171 and CMMC. Make sure records are current and easy to retrieve.

Getting Started

Whether you’re bridging from an existing NIST 800-171 program to CMMC certification, or building a compliance program from scratch, the path forward starts with clarity about where you stand.

1. Assess honestly. Run a gap assessment against all 110 NIST 800-171 Rev 2 controls at the assessment-objective level. Don’t score yourself generously. The C3PAO won’t.

2. Does your SSP describe the organization you actually are? If your System Security Plan describes an organization that no longer exists, rewrite it. The SSP is the single document that makes or breaks your assessment.

3. Build for continuous compliance. One-time compliance projects fail the moment the environment changes. You need a system that maintains your documentation, evidence, and control status continuously, not just at assessment time.

Deep Fathom helps defense contractors turn existing NIST 800-171 compliance work into CMMC-ready evidence. The platform maps your controls, tracks gaps, generates documentation, and prepares evidence for C3PAO review, keeping everything synchronized as your environment changes. If you’re bridging between NIST 800-171 and CMMC, or starting fresh, check your readiness or talk to our team.

Related reading: