Government contractors face a critical question in 2026: what is the difference between NIST 800-171 and CMMC 2.0, and which one does your organization actually need to comply with? The short answer is both, but the relationship between these two frameworks is more nuanced than most guides explain.
NIST SP 800-171 defines the security requirements. CMMC 2.0 defines how compliance with those requirements gets verified. Understanding this distinction is essential for any defense contractor building a compliance roadmap, allocating budget, and preparing for assessments.
This guide breaks down the key differences between NIST 800-171 and CMMC 2.0, maps their controls, and helps you determine exactly what your organization needs to do.
What Is NIST SP 800-171?
NIST Special Publication 800-171 is a set of security requirements published by the National Institute of Standards and Technology for protecting Controlled Unclassified Information (CUI) in non-federal systems. It was originally developed to extend federal security standards to contractors and other non-federal organizations that handle sensitive government data.
The framework defines 110 security requirements organized across 14 control families:
- Access Control (22 requirements)
- Awareness and Training (3 requirements)
- Audit and Accountability (9 requirements)
- Configuration Management (9 requirements)
- Identification and Authentication (11 requirements)
- Incident Response (3 requirements)
- Maintenance (6 requirements)
- Media Protection (9 requirements)
- Personnel Security (2 requirements)
- Physical Protection (6 requirements)
- Risk Assessment (3 requirements)
- Security Assessment (4 requirements)
- System and Communications Protection (16 requirements)
- System and Information Integrity (7 requirements)
NIST 800-171 has been the baseline for protecting CUI since its initial publication. Compliance has been required through DFARS clause 252.204-7012 since 2017, but the enforcement mechanism was self-attestation — contractors scored themselves using the NIST SP 800-171A assessment procedures and reported their scores to the Supplier Performance Risk System (SPRS).
The problem was clear: self-attestation without verification created a gap between reported compliance and actual security posture. Audits by the DoD Inspector General found widespread overreporting, with many contractors claiming perfect scores while lacking fundamental security controls.
What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification was created by the Department of Defense to solve the verification problem. Rather than trusting contractors to self-report their compliance, CMMC establishes a tiered certification system with independent assessments at higher levels.
CMMC 2.0 streamlined the original framework from five levels to three:
- Level 1 (Foundational): 17 practices from FAR 52.204-21, annual self-assessment, for Federal Contract Information (FCI)
- Level 2 (Advanced): 110 requirements from NIST SP 800-171, triennial third-party assessment or self-assessment depending on CUI sensitivity, for CUI
- Level 3 (Expert): NIST SP 800-171 plus select NIST SP 800-172 enhanced requirements, government-led assessment, for critical CUI and highest-priority programs
The key innovation of CMMC is not new security requirements — it is the verification and certification mechanism layered on top of existing NIST standards.
NIST 800-171 vs CMMC 2.0: Side-by-Side Comparison
| Feature | NIST SP 800-171 | CMMC 2.0 |
|---|---|---|
| Purpose | Defines security requirements for CUI | Verifies implementation of security requirements |
| Publisher | National Institute of Standards and Technology | Department of Defense |
| Structure | 110 requirements across 14 families | 3 maturity levels with tiered practices |
| Assessment Type | Self-assessment (SPRS score) | Self-assessment (Level 1), third-party or self (Level 2), government-led (Level 3) |
| Certification | No formal certification | Yes — formal certification required |
| Enforcement | Contractual (DFARS 252.204-7012) | Contractual + regulatory (32 CFR Part 170 + 48 CFR) |
| Scope | CUI protection only | FCI (Level 1) and CUI (Levels 2-3) |
| POA&Ms Allowed | Yes, with SPRS score adjustment | Yes, conditional certification with time-limited remediation |
| Cost of Assessment | Internal resources only | $20K-$100K+ for C3PAO assessments |
| Recertification | Continuous (annual affirmation) | Every 3 years (Levels 2-3) with annual affirmation |
| Applies To | Any org handling CUI (defense and civilian) | Defense Industrial Base contractors specifically |
How NIST 800-171 Controls Map to CMMC Levels
Understanding the mapping between NIST 800-171 and CMMC levels is essential for building an efficient compliance program that satisfies both frameworks simultaneously.
CMMC Level 1 Mapping
CMMC Level 1 draws from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), which includes 17 practices. These practices align with a subset of NIST 800-171 requirements:
| CMMC Level 1 Practice | Corresponding NIST 800-171 Requirement |
|---|---|
| Limit system access to authorized users | 3.1.1 — Limit system access |
| Limit system access to permitted transactions and functions | 3.1.2 — Limit access to authorized types of transactions |
| Verify and control connections to external systems | 3.1.20 — Verify external connections |
| Control information on public systems | 3.1.22 — Control information posted publicly |
| Identify system users and processes | 3.5.1 — Identify system users |
| Authenticate users and processes | 3.5.2 — Authenticate identities |
| Sanitize or destroy media before disposal | 3.8.3 — Sanitize media before disposal |
| Limit physical access to systems | 3.10.1 — Limit physical access |
| Escort and monitor visitors | 3.10.3 — Escort visitors |
| Maintain audit logs of physical access | 3.10.4 — Maintain audit logs |
| Control and manage physical access devices | 3.10.5 — Control physical access devices |
| Monitor, control, and protect communications | 3.13.1 — Monitor/control communications at boundaries |
| Implement subnetworks for publicly accessible systems | 3.13.5 — Implement subnetworks for public components |
| Identify, report, and correct flaws | 3.14.1 — Identify and correct flaws in a timely manner |
| Provide protection from malicious code | 3.14.2 — Provide malicious code protection |
| Update malicious code protection mechanisms | 3.14.4 — Update malicious code mechanisms |
| Perform periodic scans and real-time scans on files | 3.14.5 — Perform scans of the system |
CMMC Level 2 Mapping
CMMC Level 2 maps directly to all 110 NIST SP 800-171 Rev 2 requirements. There is a one-to-one correspondence — every NIST 800-171 requirement has a matching CMMC Level 2 practice, and vice versa. This was a deliberate design decision in CMMC 2.0 to eliminate the CMMC-unique practices that existed in version 1.0 and caused confusion.
CMMC Level 3 Mapping
CMMC Level 3 includes all 110 NIST 800-171 requirements plus a selection of enhanced requirements from NIST SP 800-172. These enhanced requirements focus on protecting CUI against Advanced Persistent Threats (APTs) and include:
- Dual authorization for critical actions
- Enhanced security testing and exercises
- Network segmentation and microsegmentation
- Threat hunting capabilities
- Incident response automation
Key Differences Explained
1. Self-Attestation vs Independent Verification
The most significant difference is how compliance is verified. Under NIST 800-171 alone, organizations self-assess using the DoD Assessment Methodology, calculate their SPRS score (ranging from -203 to 110), and submit it. No one independently checks whether the score is accurate.
CMMC changes this for Level 2 (for contracts involving prioritized CUI) and Level 3. A CMMC Third-Party Assessment Organization (C3PAO), accredited by the Cyber AB, conducts an independent assessment. For Level 3, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts the assessment directly.
2. Scope of Applicability
NIST 800-171 applies broadly to any non-federal organization that handles CUI, including contractors working with civilian agencies. CMMC specifically applies to the Defense Industrial Base — organizations bidding on or performing DoD contracts.
If you work exclusively with civilian federal agencies, you need NIST 800-171 compliance but not CMMC certification. If you work with the DoD, you need both.
3. Cost and Resource Requirements
NIST 800-171 self-assessment can be completed with internal resources, though many organizations engage consultants. The primary costs are implementing the controls themselves.
CMMC adds significant assessment costs on top of implementation. C3PAO assessments for Level 2 typically range from $20,000 to $100,000+ depending on the size and complexity of the organization’s CUI environment. Level 3 assessments, conducted by DIBCAC, come at government expense but require substantially more preparation.
4. Timeline and Phased Rollout
CMMC requirements are being phased into DoD contracts over a multi-year rollout that began in 2025:
- Phase 1 (2025): CMMC Level 1 self-assessments and Level 2 self-assessments appear in contracts
- Phase 2 (2026): Level 2 C3PAO assessments begin appearing in contracts
- Phase 3 (2027): Level 3 assessments required for applicable contracts
- Phase 4 (2028): Full CMMC requirements across all applicable DoD contracts
Organizations already subject to DFARS 252.204-7012 should already be compliant with NIST 800-171. CMMC does not change what controls you need — it changes how you prove you have them.
5. Plans of Action and Milestones (POA&Ms)
Both frameworks allow POA&Ms, but with different implications:
Under NIST 800-171, a POA&M reduces your SPRS score but does not prevent you from holding contracts. You document the gap, plan remediation, and continue operating.
Under CMMC 2.0, limited POA&Ms are permitted for conditional certification. However, there are restrictions — certain requirements cannot be on a POA&M, the remediation timeline is capped at 180 days, and failing to close POA&Ms within the deadline results in loss of certification.
Who Needs Which Framework?
You Need NIST 800-171 Only If:
- You handle CUI for civilian federal agencies (non-DoD)
- You are a subcontractor that handles CUI but your prime does not flow CMMC requirements down
- You want to improve your security posture using a recognized federal standard
You Need CMMC Level 1 If:
- You handle Federal Contract Information (FCI) under DoD contracts
- Your contracts include the FAR 52.204-21 clause
- You do not handle CUI
You Need CMMC Level 2 If:
- You handle CUI under DoD contracts
- Your contracts include DFARS 252.204-7012
- Most defense contractors fall into this category
You Need CMMC Level 3 If:
- You handle CUI associated with critical DoD programs
- Your contracts specifically require Level 3 certification
- You work on programs targeted by nation-state adversaries
Building a Compliance Roadmap
Whether you need NIST 800-171 compliance, CMMC certification, or both, the path starts with the same foundational steps:
1. Define your CUI boundary. Identify exactly where CUI enters, is processed, stored, and transmitted within your environment. Scoping determines everything — a larger boundary means more controls, more cost, and more complexity. Many organizations reduce their CUI boundary by segmenting their network and limiting CUI to specific systems. For guidance on segmenting your environment, review our guide on zero trust security.
2. Conduct a gap assessment. Assess your current security posture against the 110 NIST 800-171 requirements. Calculate your actual SPRS score. Be honest — the point of this exercise is to identify real gaps, not to generate a favorable number. Review our NIST compliance guide for a step-by-step approach to this assessment.
3. Prioritize remediation. Not all gaps are equal. Focus first on requirements that are weighted heavily in the SPRS scoring methodology and on controls that cannot be placed on a POA&M under CMMC.
4. Implement controls. Deploy the technical, administrative, and physical controls needed to meet each requirement. This often involves investments in identity and access management, endpoint detection and response, SIEM/log management, encryption, and security awareness training.
5. Document everything. Both NIST 800-171 and CMMC require extensive documentation: a System Security Plan (SSP), POA&Ms, policies and procedures for each control family, and evidence of implementation. Documentation is not optional — it is evaluated during assessments.
6. Prepare for assessment. If CMMC Level 2 or 3 certification is required, begin preparing at least 6 to 12 months before your anticipated assessment date. This includes selecting a C3PAO, conducting a mock assessment, and remediating any issues identified.
For a comprehensive overview of IT compliance standards and how they relate to your broader security program, explore our security compliance guide.
Common Mistakes to Avoid
Treating NIST 800-171 and CMMC as separate programs. They are not. CMMC Level 2 is NIST 800-171. Build one compliance program that satisfies both.
Overscoping the CUI boundary. A larger boundary increases cost and complexity. Invest in proper scoping and network segmentation upfront.
Ignoring supply chain requirements. If you are a prime contractor, you are responsible for flowing CMMC requirements to subcontractors that handle CUI. Failure to verify subcontractor compliance puts your own certification at risk.
Waiting until contracts require CMMC. By the time CMMC appears in a solicitation, it is too late to start. The implementation and assessment process takes 12 to 18 months for most organizations.
Underestimating documentation requirements. Technical controls without documentation fail assessments. Budget time for policy writing, procedure documentation, and evidence collection from the beginning.
Frequently Asked Questions
Does CMMC replace NIST 800-171?
No. CMMC does not replace NIST 800-171 — it builds on it. CMMC Level 2 directly incorporates all 110 NIST 800-171 requirements. The difference is that CMMC adds a verification and certification layer. You still need to implement NIST 800-171 controls; CMMC determines how those controls get assessed and validated.
Can I satisfy both NIST 800-171 and CMMC with a single compliance program?
Yes, and you should. Since CMMC Level 2 maps one-to-one with NIST 800-171, a well-designed compliance program addresses both simultaneously. Build your program around NIST 800-171 controls, maintain documentation and evidence as required by CMMC, and you will be prepared for both SPRS scoring and CMMC assessment.
How much does CMMC certification cost?
Total costs vary widely based on organizational size and current security posture. Implementation costs (controls, tools, personnel) typically range from $50,000 to $500,000+. C3PAO assessment fees for Level 2 range from $20,000 to $100,000+. Ongoing maintenance and annual affirmations add recurring costs. For organizations already compliant with NIST 800-171, the incremental cost of CMMC is primarily the assessment itself.
What happens if I fail a CMMC assessment?
If your organization does not meet the required CMMC level, you will not receive certification and will be ineligible for contracts that require that level. You can remediate the identified gaps and request a reassessment. There is no formal penalty for failing beyond the inability to compete for CMMC-requiring contracts. However, if your SPRS score was significantly higher than your actual security posture, there could be implications under the False Claims Act.
Do subcontractors need CMMC certification?
Yes, if they handle FCI or CUI under a DoD contract. Prime contractors are responsible for flowing CMMC requirements to their subcontractors. The required CMMC level depends on the type of information the subcontractor handles — FCI requires Level 1, CUI requires Level 2 or higher.
Is CMMC required for commercial products sold to the DoD?
CMMC applies to contractors and subcontractors, not to commercial off-the-shelf (COTS) products. However, if your organization provides services, support, or customization alongside COTS products and handles CUI in the process, CMMC requirements may apply to those activities.
Next Steps
Preparing for NIST 800-171 compliance and CMMC certification requires a structured approach, the right tools, and often expert guidance. Whether you are starting from scratch or tightening gaps in an existing compliance program, the time to act is now — not when CMMC appears in your next contract solicitation.
Exodata helps defense contractors and government-adjacent organizations navigate security and compliance requirements, from gap assessments and remediation to assessment preparation and ongoing compliance management. If you need help building an incident response capability as part of your compliance program, our guide on creating a cybersecurity incident response plan is a practical starting point.