CMMC vs. NIST 800-171: What Defence Contractors Need to Know
Learn the key differences between CMMC and NIST 800-171.
If you’re working with the Department of Defense or pursuing defense contracts, cybersecurity compliance is no longer optional. Beginning late 2025, many DoD contracts will explicitly require CMMC certification, , and all contractors that handle Controlled Unclassified Information are already obligated to implement NIST SP 800-171 under DFARS.
CMMC determines whether you can be awarded DoD contracts and CMMC Level 2 builds directly on NIST 800-171's foundation. Understanding how they connect and where they diverge can help set you on a streamlined path to compliance.
Here’s what you need to know…
What is CMMC?
The Cybersecurity Maturity Model Certification (CMCC) was launched by the Department of Defense’s (DoD) to ensure the safety of sensitive information across its supply chain or partners and government contractors.
CMMC ensures that all vendors handling federal data, like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), meet certain security standards. This helps strengthen cybersecurity across the Defense Industrial Base (DIB).
There are three levels within CMMC:
- CMMC Level 1 - Foundational: For partners that only handle Federal Contract Information (FCI).
- CMMC Level 2 - Advanced: Applies to organizations handling Controlled Unclassified Information (CUI).
- CMMC Level 3 - Expert: Covers contractors supporting the most sensitive DoD data and programs.
Level 1 can be attained via self-assessment, while Level 2 requires organizations to prove their CMMC compliance via an assessment from a Third-Party Assessment Organization (C3PAO). Level 3 can only be attained via a Government-led assessment conducted by DoD.
What is NIST 800-171?
NIST 800-171 is a cybersecurity framework developed by the National Institute of Standards and Technology (NIST). NIST 800-171 outlines 110 cybersecurity requirements spread over 14 domains. These cover areas like incident response to access control.
The goal of NIST 800-171 is to protect the confidentiality of CUI when handled by non-federal systems.
Companies can prove they meet NIST 800-171 cybersecurity standards without the need for third-party assessments. However, if you’re also looking to become CMMC compliant, many companies will need third-party assessments to verify 800-171 compliance with CMMC Level 2.
What are the CMMC NIST 800-171 Compliance Requirements?
If your company is a contractor for the DoD, cybersecurity compliance is mandatory. Under DFARS clause 252.204-7012, any contractor that handles CUI must implement the 110 security requirements in NIST SP 800-171.
Beginning in late 2025, many DoD contracts will also include Cybersecurity Maturity Model Certification (CMMC) requirements.
DFARS Basics and Self-Attestation
Under the DFARS clause 252.204-7012, defense contractors must confirm compliance with NIST 800-171. Most do this through self-attestation, essentially documenting that you've checked all the boxes.
To complete the self-attestation, contractors must:
- Run a gap assessment against all 110 security controls in NIST 800-171.
- create Plans of Action & Milestones (POA&Ms) for any controls that haven't been implemented yet.
- Submit the score to the Supplier Performance Risk System (SPRS), where 110 is the maximum.
CMMC Assessments
Due to the types of data contractors will handle, CMMC requires verification by independent and accredited third parties.
At CMMC Level 2, organizations that handle CUI will need their compliance to be validated by a Third-Party Assessment Organization (C3PAO). Lower-level contracts may only require annual self-assessments, while the highest level (Level 3) involves government-led evaluations.
NIST vs CMMC Assessments: The Key Differences
Although NIST 800-171 and CMMC share the same foundation and provide great value, they also serve different purposes. Here’s an overview of their key differences.
1. Levels and Domain Coverage
NIST 800-171 is a single set of 110 security controls. CMMC has a tiered approach with three progressive levels that expands on those requirements. NIST 800-171 maps directly to CMMC 2.0, while Levels 1 and 3 extend the scope both above and below.
NIST 800-171 also focuses on CUI protection, while CMMC focuses on FCI, CUI, and advanced threats, depending on the level.
2. Evidence and Documentation
NIST relies on self-attestation, while CMMC Level 2 requires a more in-depth collection of documentation and proof as well as approval from a third-party assessor.
3. Enforcement and Penalties
NIST 800-171 is required under DFARS for contractors handling CUI, but compliance is based on self-assessments. There are no automatic fines, but inaccurate or missing compliance can trigger serious consequences.
CMMC, on the other hand, ties compliance directly to contract eligibility. Starting in late 2025, if a solicitation requires a certain CMMC level and you don’t have it, you cannot bid for or win that DoD contract.
Mapping NIST 800-171 vs CMMC Levels
Level 1: Foundational
CMMC Level 1 focuses on 17 specific cybersecurity practices, instead of the full 110 practices of NIST 800-171.
Level 1 is for DoD contractors that only handle FCI. CMMC Level 1 ensures smaller subcontractors in the defense supply chain have baseline security protections, including physical protection and access control.
Level 2: Advanced
CMMC Level 2 requires all 110 security controls in NIST 800-171, structured across 14 security domains, for contractors dealing with CUI.
Here are the 14 Security Domains in NIST 800-171 and CMMC Level 2:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Level 3 - Expert
CMMC Level 3 goes beyond NIST SP 800-171 by requiring implementation of all 110 controls plus a subset of advanced security practices from NIST SP 800-172.
Your Path Forward
Both NIST 800-171 and CMMC play important roles in the security of the defense supply chain. While NIST provides the foundations for protecting Controlled Unclassified Information (CUI), CMMC is becoming a requirement for winning DoD contracts by verifying and certifying that the NIST security controls and protections are in place.
Compliance can be stressful to navigate alone, especially when DoD contracts are riding on CMMC certification. But you don’t have to go it alone. Workstreet can help you get NIST 800-171 compliant and prepare for CMMC.
Get started with Workstreet’s managed security and compliance services. Schedule a call.
CMMC and NIST-800 171 FAQs
How do I determine if my organization needs to comply with NIST 800-171, CMMC, or both?
If your organization handles Controlled Unclassified Information (CUI), you are already required under DFARS to comply with NIST SP 800-171. Beginning in late 2025, many DoD contracts will also include CMMC requirements.
What happens if I fail a CMMC assessment but have been compliant with NIST 800-171?
You will not achieve CMMC certification and must develop a POA&M to address the deficiencies. You will usually get 90-180 days to address these before you will need to be reassessed.
How much does it cost to implement NIST 800-171 compared to achieving CMMC certification?
The total cost of implementing NIST 800-171 depends on the size of your company and your current information security practices and security posture. Small and mid-sized businesses may see ranges from $30,000 to $120,000+, while larger organizations may need to spend significantly more.
CMMC certification adds costs on top of that baseline. Contractors must first achieve NIST 800-171 compliance, then undergo CMMC Level 2 assessments.
Can I use my NIST 800-171 documentation as evidence for a CMMC assessment?
While NIST 800-171 documentation provides a foundation and can be provided as evidence, CMMC will require additional documentation and verification aligned with the applicable certification level.
What is the timetable for CMMC implementation?
The DoD is phasing in CMMC requirements so contractors can have time to prepare. From late 2025, CMMC Level 2 requirements will start appearing in more DoD contracts involving CUI, with full enforcement planned for 2028.
What are the latest NIST 800-171 updates?
NIST 800-171 (Rev. 3) introduced additional supply chain risk management requirements, scoping guidance for CUI systems, updated authentication and access control measures, and consolidation of controls. See the full update here.