NIST 800-171 vs CMMC: Key Differences Explained
Defense contractors frequently encounter both NIST SP 800-171 and CMMC in the same conversation — often in the same contract clause. The confusion is understandable: the two frameworks share 110 requirements and are aimed at the same population of DoD suppliers. But they are not the same thing, and treating them as interchangeable creates compliance gaps that can disqualify you from contract awards. This guide explains exactly what separates NIST 800-171 vs. CMMC 2.0, where they overlap, what CMMC adds, and how organizations can satisfy both frameworks without running two separate compliance programs.
NIST 800-171 vs. CMMC: The Essential Distinction
The clearest way to understand the relationship: CMMC Level 2 incorporates NIST SP 800-171, but adds a verification layer that NIST 800-171 alone does not require.
NIST SP 800-171
NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a self-attested framework. Organizations assess themselves against the 110 requirements, document their implementation in a System Security Plan (SSP), and submit a score to the SPRS portal. There is no third-party verification requirement built into NIST 800-171 itself. The current version, Rev. 2, was published in February 2020 and remains the baseline for CMMC Level 2. Rev. 3 is in draft.
NIST 800-171 is required by DFARS 252.204-7012 for any contractor processing, storing, or transmitting Controlled Unclassified Information (CUI) on nonfederal systems. It has been a contractual requirement since 2017. You can access the full publication at NIST CSRC.
CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) is the DoD's third-party verified framework for ensuring defense contractors actually implement the security requirements they attest to. CMMC 2.0 Level 2 uses the exact same 110 practices from NIST SP 800-171 Rev. 2, organized into the same 14 domains. The critical addition: for contracts involving prioritized CUI, CMMC requires a triennial assessment by an accredited C3PAO, not just a self-attestation. The DoD CMMC program is managed by the DoD CMMC Office.
Looking for expert cybersecurity guidance? Z Cyber's advisory team can help.
Learn MoreNIST 800-171 vs. CMMC: Side-by-Side Comparison
| Dimension | NIST SP 800-171 | CMMC 2.0 Level 2 |
|---|---|---|
| Requirements count | 110 security requirements | 110 practices (identical to 800-171 Rev. 2) |
| Verification method | Self-attestation (SPRS score) | Self-assessment OR C3PAO third-party assessment depending on contract type |
| Assessment frequency | Periodic (no mandated frequency) | Annual (self-assessment) or triennial (C3PAO) |
| Primary document | System Security Plan (SSP) + POA&M | SSP + POA&M + C3PAO assessment evidence package |
| Regulatory basis | DFARS 252.204-7012 (existing requirement) | DFARS 252.204-7021 (phasing into contracts 2025–2026) |
| Applies to | All contractors handling CUI under DFARS-covered contracts | DoD contracts with specific CMMC clauses; phased rollout by contract type |
| Score/certification | Numerical SPRS score (max 110) | CMMC certification level (Level 1, 2, or 3) in SPRS |
The 14 Domains: Where NIST 800-171 and CMMC Level 2 Align
Because CMMC Level 2 directly inherits its 110 practices from NIST 800-171, the domain structure is identical. Both frameworks organize requirements across: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
If your organization has conducted a thorough NIST 800-171 assessment and built a complete SSP and POA&M, you have completed the substantive groundwork for CMMC Level 2. The remaining steps are procedural: ensuring your documentation meets C3PAO evidence standards, organizing your evidence package by domain, and — for prioritized CUI contracts — engaging an accredited C3PAO.
What CMMC Adds Beyond NIST 800-171
While the practice requirements are identical at Level 2, CMMC introduces several requirements that go beyond a standard 800-171 self-assessment:
- Affirmation requirement: A company official must annually affirm that the CMMC Level 2 requirements are implemented. This is a personal attestation with legal implications — false attestations can create liability under the False Claims Act.
- C3PAO assessment rigor: C3PAOs follow a standardized assessment methodology that tests not just documentation but operational evidence — log samples, configuration screenshots, interview responses, and artifact reviews. An SSP that is complete on paper but not supported by operational evidence will generate findings.
- CMMC-AB governance: The CMMC Accreditation Body (CMMC-AB) oversees C3PAO accreditation and publishes supplemental guidance. This creates a standardized (though still evolving) assessment experience.
- POA&M limitations: CMMC imposes constraints on how long POA&M items can remain open at time of contract award. High-value gaps (practices worth -5 or more in SPRS scoring) may prevent contract award in some scenarios.
NIST SP 800-171 Rev. 3: What's Coming
NIST released a draft of SP 800-171 Rev. 3 in 2023, with the final publication expected. Rev. 3 restructures the requirements format (aligning more closely with NIST SP 800-53B) and adds organization-derived requirements. Importantly, CMMC 2.0 is currently built on Rev. 2. When the DoD updates CMMC to align with Rev. 3, organizations will need to reassess against the updated requirements. Organizations that have built a continuous compliance program (rather than a one-time project) will have a much simpler transition than those relying on static documentation.
Assessing Both Frameworks Simultaneously: The Z Cyber Approach
Running separate assessments for NIST 800-171 and CMMC is redundant — the practice requirements are identical. The efficient approach is to conduct one thorough Current State Assessment that produces documentation meeting the evidentiary standards of both frameworks simultaneously.
Z Cyber's Glance platform implements this directly. When your advisory team conducts a Current State Assessment, every control finding is mapped to both NIST SP 800-171 requirements and CMMC practices. Your SPRS score reflects the NIST 800-171 view; your CMMC Level 2 Framework Scorecard reflects the CMMC certification view. Both are derived from the same control assessment — no duplicate effort, no inconsistent documentation.
POA&M items are tracked in a single register that notes their impact on both your SPRS score and your CMMC readiness. When a gap is remediated, both framework views update simultaneously. Your Z Cyber advisor monitors this continuously, so your documentation never becomes stale — a critical consideration given that a SPRS score reflecting a compliance posture from 18 months ago is a liability, not an asset.
For organizations approaching a C3PAO assessment, Z Cyber's advisory team helps organize evidence packages by domain, conducts pre-assessment readiness reviews, and identifies any remaining gaps between your current documentation and C3PAO evidence standards. For the detailed CMMC program guide, see our CMMC 2.0 complete guide for defense contractors. For defense contractor industry-specific context, see our defense and government industry page.
NIST SP 800-171 Rev. 3 and Future CMMC Updates
NIST published the final version of SP 800-171 Rev. 3 in May 2024, introducing several structural and substantive changes. Rev. 3 reorganizes the requirement format to align more closely with NIST SP 800-53B and adds organization-derived requirements that allow some flexibility in how specific controls are implemented. It also introduces new requirements around supply chain risk management and configuration management not present in Rev. 2.
As of early 2026, CMMC 2.0 Level 2 is still based on NIST SP 800-171 Rev. 2. The DoD has indicated it will update CMMC to reflect Rev. 3 requirements, but the timeline for that transition has not been finalized. Organizations that begin compliance efforts now should build on Rev. 2 as the current contractual baseline, while designing their compliance program to be adaptable — particularly in areas where Rev. 3 introduces new requirements. Organizations relying on static documentation built for Rev. 2 will face a heavier lift when the CMMC update arrives.
Which Framework Should Your Organization Focus On?
The practical answer: focus on NIST SP 800-171 compliance as your foundation, and build toward CMMC certification as your verification layer. Here is why:
- NIST 800-171 compliance under DFARS 252.204-7012 is an existing requirement for any organization handling CUI. You are already contractually obligated.
- A thorough 800-171 compliance program is the complete substantive foundation for CMMC Level 2 certification.
- Organizations that chase CMMC certification without first building a genuine 800-171 compliance program often produce documentation that looks right on paper but fails C3PAO operational testing.
- The SPRS score — derived from your 800-171 assessment — is visible to contracting officers right now. A high score signals compliance discipline to both prime contractors and DoD program offices.
Conclusion
NIST SP 800-171 and CMMC 2.0 Level 2 are two layers of the same compliance obligation — not two separate programs. The 110 requirements are identical. The difference is verification: NIST 800-171 requires self-attestation; CMMC requires third-party verification for prioritized CUI contracts. Organizations that build a rigorous, continuously maintained 800-171 compliance program have already done the hard work. CMMC certification is the formal confirmation of that work.
Z Cyber's advisory team conducts assessments that satisfy both frameworks simultaneously — one Current State Assessment, one SSP, one POA&M, two framework scorecards. No duplicate effort. Always-current documentation.
Ready to strengthen your security posture?
Talk to Z Cyber's advisory team about building your Cyber Blueprint.
Frequently Asked Questions: NIST 800-171 vs. CMMC
Does completing NIST 800-171 compliance make us CMMC Level 2 certified?
Not automatically. Implementing all 110 NIST SP 800-171 requirements is the substantive foundation for CMMC Level 2, but certification requires additional steps: submitting an affirmation in SPRS, maintaining a current SSP and POA&M in the required format, and — for prioritized CUI contracts — completing a triennial assessment by an accredited C3PAO. That said, an organization with a complete and accurate 800-171 compliance program is very close to CMMC Level 2 certification readiness. The gap is primarily procedural and documentary, not substantive.
What is a C3PAO and how do I find one?
A C3PAO (Certified Third-Party Assessment Organization) is a company accredited by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC Level 2 assessments. C3PAOs must meet specific training, ethics, and quality standards set by the CMMC-AB. The list of accredited C3PAOs is available through the CMMC-AB marketplace. C3PAO capacity is limited relative to demand, and assessment slots are booking out months in advance — organizations targeting a 2026 C3PAO assessment should begin the scheduling process now.
What is the difference between CUI and FCI?
Federal Contract Information (FCI) is information provided by or generated for the government under a contract but not intended for public release. Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding per law, regulation, or government-wide policy. CUI includes categories such as export-controlled technical data, privacy-protected information, law enforcement sensitive data, and critical infrastructure information. CMMC Level 1 protects FCI; CMMC Level 2 protects CUI. The CUI Registry at the National Archives defines all CUI categories.
If we already submitted a SPRS score, do we still need to do CMMC?
Yes, for contracts that include CMMC requirements. Submitting a SPRS score satisfies the NIST 800-171 self-assessment requirement under DFARS 252.204-7012. CMMC compliance is a separate requirement tied to specific DFARS clauses (primarily 252.204-7021) that are being phased into DoD contracts. As CMMC requirements appear in new solicitations and contract renewals, the SPRS self-assessment score alone will not satisfy the CMMC clause — you will also need either the annual CMMC self-assessment affirmation or a C3PAO assessment, depending on contract type.
Can the same documentation serve both NIST 800-171 and CMMC assessments?
Yes, and this is the most efficient approach. A System Security Plan (SSP) built to NIST SP 800-171 standards, with practices documented against all 14 domains and supported by operational evidence, serves as the primary documentation artifact for both the NIST 800-171 SPRS assessment and CMMC Level 2 C3PAO review. Organizations that maintain a single, always-current SSP and POA&M — rather than separate documents for each framework — avoid documentation inconsistencies and reduce assessment preparation time significantly.
Frequently Asked Questions
Does completing NIST 800-171 compliance make us CMMC Level 2 certified?
Not automatically. Implementing all 110 NIST SP 800-171 requirements is the substantive foundation for CMMC Level 2, but certification requires additional steps: submitting an affirmation in SPRS, maintaining a current SSP and POA&M in the required format, and — for prioritized CUI contracts — completing a triennial assessment by an accredited C3PAO. That said, an organization with a complete and accurate 800-171 compliance program is very close to CMMC Level 2 certification readiness. The gap is primarily procedural and documentary, not substantive.
What is a C3PAO and how do I find one?
A C3PAO (Certified Third-Party Assessment Organization) is a company accredited by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC Level 2 assessments. C3PAOs must meet specific training, ethics, and quality standards set by the CMMC-AB. The list of accredited C3PAOs is available through the CMMC-AB marketplace. C3PAO capacity is limited relative to demand, and assessment slots are booking out months in advance — organizations targeting a 2026 C3PAO assessment should begin the scheduling process now.
What is the difference between CUI and FCI?
Federal Contract Information (FCI) is information provided by or generated for the government under a contract but not intended for public release. Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding per law, regulation, or government-wide policy. CUI includes categories such as export-controlled technical data, privacy-protected information, law enforcement sensitive data, and critical infrastructure information. CMMC Level 1 protects FCI; CMMC Level 2 protects CUI. The CUI Registry at the National Archives defines all CUI categories.
If we already submitted a SPRS score, do we still need to do CMMC?
Yes, for contracts that include CMMC requirements. Submitting a SPRS score satisfies the NIST 800-171 self-assessment requirement under DFARS 252.204-7012. CMMC compliance is a separate requirement tied to specific DFARS clauses (primarily 252.204-7021) that are being phased into DoD contracts. As CMMC requirements appear in new solicitations and contract renewals, the SPRS self-assessment score alone will not satisfy the CMMC clause — you will also need either the annual CMMC self-assessment affirmation or a C3PAO assessment, depending on contract type.
Can the same documentation serve both NIST 800-171 and CMMC assessments?
Yes, and this is the most efficient approach. A System Security Plan (SSP) built to NIST SP 800-171 standards, with practices documented against all 14 domains and supported by operational evidence, serves as the primary documentation artifact for both the NIST 800-171 SPRS assessment and CMMC Level 2 C3PAO review. Organizations that maintain a single, always-current SSP and POA&M — rather than separate documents for each framework — avoid documentation inconsistencies and reduce assessment preparation time significantly.
