CMMC vs NIST 800-171: Complete Comparison 2026

Posted: May 21, 2026 to Compliance.

If you have a NIST SP 800-171 System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a Supplier Performance Risk System (SPRS) score posted under DFARS 252.204-7019, you are roughly 80 percent of the way to CMMC Level 2. The remaining 20 percent is where most defense contractors stumble in 2026, because it shifts from self-attested paperwork to a Cyber AB ecosystem of third-party assessors, affirmations, and contractual flowdown that the Department of Defense now actively enforces under the CMMC Program Final Rule (32 CFR Part 170, effective December 16, 2024) and DFARS 252.204-7021.

This guide answers the questions Petronella Technology Group hears every week from prime contractors, subs, and engineering firms handling Controlled Unclassified Information (CUI): what is the difference between NIST 800-171 and CMMC, do I need both, where do the 110 controls fit, what does Level 3 actually require, and what changes when a C3PAO walks in the door instead of an internal compliance lead checking boxes against an SSP. Craig Petronella, CMMC-RP and lead author of this article, walks you through the same framework Petronella uses on RPO-led engagements (Cyber AB RPO #1449) for clients across the Carolinas, Virginia, Georgia, Alabama, and the broader DoD Southeast supply chain.

Spoiler answer up front: NIST 800-171 is the requirement. CMMC is the verification mechanism the DoD uses to confirm you actually meet it. If you are 800-171 compliant on paper, you have done the hardest technical work. CMMC adds proof, repeatability, and accountability on top.

What is NIST SP 800-171?

NIST Special Publication 800-171 is a National Institute of Standards and Technology publication titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It was first published in June 2015 and is currently in Revision 2 (R2, February 2020) for active DoD enforcement. NIST 800-171 Revision 3 was finalized in May 2024 but the DoD has formally announced that contractual enforcement remains on R2 until DFARS is updated, which is not expected before 2027. Always build your SSP against R2 unless a contract clause explicitly references R3.

The publication defines 110 security requirements organized across 14 control families. Each requirement is derived from the moderate-impact baseline of NIST SP 800-53, tailored down to controls applicable to nonfederal systems that store, process, or transmit CUI.

The 14 control families in NIST 800-171 R2

• 3.1 Access Control - 22 requirements
• 3.2 Awareness and Training - 3 requirements
• 3.3 Audit and Accountability - 9 requirements
• 3.4 Configuration Management - 9 requirements
• 3.5 Identification and Authentication - 11 requirements
• 3.6 Incident Response - 3 requirements
• 3.7 Maintenance - 6 requirements
• 3.8 Media Protection - 9 requirements
• 3.9 Personnel Security - 2 requirements
• 3.10 Physical Protection - 6 requirements
• 3.11 Risk Assessment - 3 requirements
• 3.12 Security Assessment - 4 requirements
• 3.13 System and Communications Protection - 16 requirements
• 3.14 System and Information Integrity - 7 requirements

These 110 requirements protect CUI inside contractor environments. The publication itself does not specify how compliance is verified - that responsibility falls to the contracting agency. For the DoD, that verification mechanism was historically a contractor self-attestation under DFARS 252.204-7012. After the 2017-2020 series of high-profile defense industrial base breaches (including the 2018 SUBSEC compromise that exfiltrated 614 GB of unclassified-but-sensitive Sea Dragon naval program data), the Pentagon concluded self-attestation alone was insufficient. CMMC was the answer.

For a deeper technical walkthrough of each family, see Petronella's NIST 800-171 compliance overview.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD's program to verify, certify, and contractually enforce cybersecurity practices for the Defense Industrial Base (DIB). It does not replace NIST 800-171. It wraps 800-171 in an accountability and assessment ecosystem.

The CMMC program is administered by the Cyber AB (formerly the CMMC Accreditation Body), a nonprofit organization authorized by the DoD to accredit the assessor ecosystem. The Cyber AB credentials Registered Practitioner Organizations (RPOs, like Petronella Technology Group at RPO #1449), Registered Practitioners (RPs), Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), and Certified Third Party Assessor Organizations (C3PAOs). C3PAOs perform the actual Level 2 assessments. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a DoD government body, conducts Level 3 assessments and selected high-priority Level 2 assessments.

The CMMC Program Final Rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024 and became effective on December 16, 2024. The companion DFARS rule (48 CFR Part 204, including the updated DFARS 252.204-7021 contract clause) was finalized in 2025 and is being rolled into solicitations through a four-phase implementation that runs through 2028.

CMMC has three levels under the current 2.0 model, replacing the original five-level 1.0 model that was scrapped in November 2021 after industry feedback that the original program was unworkable for small contractors.

Side-by-side comparison: NIST 800-171 vs CMMC Level 2

Most defense contractors who ask "what is the difference" are really asking about NIST 800-171 R2 versus CMMC Level 2, because Level 2 is the level that maps directly to the 110 controls. Here is the head-to-head:

Dimension	NIST SP 800-171 R2	CMMC Level 2 (2.0)
Origin authority	NIST (Department of Commerce)	DoD CIO via 32 CFR 170; assessment ecosystem governed by Cyber AB
Legal teeth	Referenced by DFARS 252.204-7012 since December 2017	Referenced by DFARS 252.204-7021; finalized 2025
Scope	Any nonfederal system that processes, stores, or transmits CUI	Any DoD contractor or subcontractor that handles CUI under a contract with the 7021 clause
Assessment method	Self-assessment scored against DoD Assessment Methodology and posted to SPRS	Triennial C3PAO assessment for most Level 2 contracts; self-assessment permitted only for select non-prioritized CUI
Score range	-203 to +110 on the DoD Assessment Methodology	110 practices, all must be MET or on a closed POA&M to certify
POA&M handling	Open POA&Ms allowed indefinitely under self-attestation	POA&Ms allowed only on a limited subset of controls and must be closed within 180 days
SSP required	Yes (3.12.4)	Yes, plus must match what the assessor observes
Affirmation	Not formally required	Annual senior official affirmation in SPRS required (32 CFR 170.22)
Flowdown	DFARS 7012 flows full clause to subs	DFARS 7021 flows certification requirement to subs, including the assessment level appropriate to the CUI they handle
Enforcement risk	False Claims Act exposure for inaccurate SPRS scores (DOJ Civil Cyber-Fraud Initiative, active since October 2021)	Same FCA exposure plus contract ineligibility absent certification
Certificate validity	N/A	3 years, with annual affirmation

The 110-control mapping: NIST 800-171 R2 inside CMMC Level 2

CMMC Level 2 is the 110 controls of NIST 800-171 R2. The mapping is one-to-one - there are no Level 2 practices outside 800-171, and there are no 800-171 controls excluded from Level 2. What changes is the rigor of assessment, the documentation evidence required, and the consequence of a finding.

Family	800-171 R2 Requirements	CMMC Level 2 Practices	Notes
Access Control (AC)	22	22	Highest-weight family, includes MFA, session lock, remote access
Awareness and Training (AT)	3	3	Insider threat training is in scope
Audit and Accountability (AU)	9	9	Log retention, time synchronization, audit reduction
Configuration Management (CM)	9	9	Baseline configs, least functionality, blacklist/whitelist apps
Identification and Authentication (IA)	11	11	MFA for privileged and remote access, password complexity, FIPS-validated crypto
Incident Response (IR)	3	3	72-hour incident reporting to DC3 under DFARS 7012 still applies
Maintenance (MA)	6	6	Remote maintenance authorization and oversight
Media Protection (MP)	9	9	FIPS-validated encryption on portable storage
Personnel Security (PS)	2	2	Screening and post-employment access termination
Physical Protection (PE)	6	6	Visitor logs, monitoring devices, escort
Risk Assessment (RA)	3	3	Periodic risk assessment, vulnerability scanning, remediation
Security Assessment (CA)	4	4	SSP, POA&M, control assessment, monitoring
System and Communications Protection (SC)	16	16	Boundary protection, encryption in transit, mobile code, VoIP
System and Information Integrity (SI)	7	7	Flaw remediation, malicious code protection, monitoring
Total	110	110	Identical control surface

If you have validated implementation of all 110 controls, your CMMC Level 2 assessment is technical preparation, not technical remediation. The difference is the evidence package: object-level artifacts, sample-tested system logs, interview readiness for the system owner, and a defensible chain from policy to procedure to implementation to monitoring evidence.

Where CMMC adds requirements above NIST 800-171

This is where most "I'm already compliant" contractors get surprised. CMMC layers five categories of additional obligation on top of the underlying 800-171 controls.

1. Evidence depth on POA&Ms

Under self-attestation against 800-171, a POA&M could read "Mature MFA on contractor laptops - target Q4 2026" and stay open for years. Under CMMC, POA&Ms are permitted only on a limited list of controls (no POA&M on the highest-weighted controls like MFA, FIPS encryption, or limit access to authorized users), must have specific closure dates, and must be closed within 180 days of conditional certification or the cert lapses.

2. Continuous monitoring posture

CMMC assessors are explicitly instructed to test whether the SSP is a living document. Stale procedures, last-reviewed dates more than a year old, or evidence that the SSP does not match the field configuration all count as findings. Petronella sees this fail rate the most on legacy SSPs written in 2018 that nobody has touched since the original DFARS 7012 deadline.

3. Annual senior-official affirmation

32 CFR 170.22 requires that a senior official of the contractor affirm compliance in SPRS annually, not just at certification. This affirmation carries direct False Claims Act exposure under the DOJ Civil Cyber-Fraud Initiative. The CISO or compliance lead who signed last year's affirmation is the named individual on the hook if a misrepresentation is later discovered.

4. Joint Surveillance Voluntary Assessment (JSVA) pathway

For contractors aiming at Level 2 with priority CUI, DIBCAC offers a JSVA program that provides three years of provisional Level 2 certification when conducted alongside a C3PAO. This is not available to a self-attestation regime.

5. Level 3 enhanced requirements

Level 3 layers a curated subset of NIST SP 800-172 enhanced security requirements on top of the Level 2 baseline. These controls address advanced persistent threats (APTs) and include penetration testing, threat hunting, cyber resiliency engineering, and supply chain risk management practices not present anywhere in 800-171. Level 3 assessments are conducted by DIBCAC, not C3PAOs.

The three CMMC levels and where NIST 800-171 lands

Level 1 - Foundational

Level 1 maps to the 15 basic safeguarding controls in FAR 52.204-21, not to NIST 800-171. This applies to contractors handling Federal Contract Information (FCI) only, no CUI. Self-assessment is permitted annually. There are no POA&Ms allowed at Level 1 - all 15 practices must be MET. Many small contractors mistakenly believe Level 1 covers them; if your contract references CUI handling, you are Level 2 minimum.

Level 2 - Advanced

Level 2 maps to the full 110 controls of NIST SP 800-171 R2. This is the level that applies to the overwhelming majority of DoD contracts involving CUI. Most Level 2 contracts will require a triennial C3PAO assessment; a smaller subset (non-prioritized CUI) may permit annual self-assessment. The DoD has stated approximately 80,000 contractors will require third-party Level 2 certification.

Level 3 - Expert

Level 3 layers a subset of NIST SP 800-172 enhanced controls on top of Level 2. This applies to contractors handling CUI associated with the DoD's highest-priority programs - typically unclassified-but-sensitive information related to nuclear, missile, space, or APT-targeted programs. Level 3 assessments are conducted by DIBCAC on a triennial cycle, and most contractors at this level also maintain Top Secret facility clearances.

Petronella's full-team CMMC-RP credentialing supports Level 1, Level 2, AND Level 3 readiness engagements. We do not refer Level 3 clients out to a different specialist firm. For an exhaustive Level 2 prep walkthrough, see CMMC Level 2 implementation.

"I'm 800-171 compliant - am I CMMC compliant?"

If you are genuinely 800-171 compliant - meaning you have a complete SSP that matches your environment, an honestly scored SPRS posting, current POA&Ms with realistic closure dates, FIPS-validated cryptography in place, MFA enforced on all privileged and remote access, audit logging in operation with retention, and your incident response plan is exercised at least annually - you have done the technical heavy lifting for CMMC Level 2.

What changes when CMMC certification arrives:

1. Third-party assessment. A C3PAO walks your environment, samples logs, interviews staff, and tests evidence against MET / NOT MET / NOT APPLICABLE. There is no "we are working on that" answer under CMMC scoring.
2. Affirmation in SPRS. A senior official affirms CMMC compliance in SPRS annually. The affirmation is a separate posting from the original score and creates a fresh False Claims Act window each year.
3. POA&M closure clocks. Open POA&Ms must be closed within 180 days of conditional certification. The CMMC ecosystem does not tolerate the multi-year POA&Ms common under self-attestation.
4. Twelve-month assessment cycle internal cadence. Most Level 2 organizations move to a 12-month internal control assessment cadence to stay assessment-ready, even though the formal C3PAO recertification is triennial.
5. Contractual flowdown. You must verify that your subcontractors hold the appropriate CMMC level for the CUI you flow down to them. This is now your prime contract obligation, not a downstream concern.

The DFARS 252.204-7019 / 7020 / 7021 chain

DoD does not enforce 800-171 or CMMC directly through NIST or the Cyber AB. It enforces them through DFARS contract clauses. Three clauses form the enforcement chain.

DFARS 252.204-7019 - Notice of NIST SP 800-171 DoD Assessment Requirements

Effective November 30, 2020, this clause requires contractors to have a current (within 3 years) NIST 800-171 DoD Assessment posted to SPRS at the time of contract award for any solicitation containing DFARS 252.204-7012. The assessment can be Basic (self-assessment), Medium (DoD-led), or High (DIBCAC-led). Most contractors begin with a Basic self-assessment.

DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment Requirements

Companion clause to 7019. Requires the contractor to provide DoD access to facilities, systems, and personnel necessary to conduct a Medium or High assessment, and to flow the same clause to subcontractors handling covered defense information. This is where DoD reserves the right to escalate from a self-assessment to a government-led assessment.

DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements

The CMMC enforcement clause. Finalized in 2025, this clause requires contractors to maintain the CMMC level identified in the solicitation throughout contract performance. Implementation rolls in across four phases through 2028: Phase 1 introduced 7021 in select solicitations starting in 2025; Phase 2 expanded to most Level 2 self-assessment contracts; Phase 3 added Level 2 C3PAO requirements; Phase 4 (full implementation) will see 7021 in all applicable DoD contracts.

SPRS scoring under DFARS 7019/7020

The Supplier Performance Risk System (SPRS) is the DoD's repository for contractor risk and assessment data. Under DFARS 7019, contractors post their NIST 800-171 DoD Assessment score to SPRS using the DoD Assessment Methodology, which scores from a perfect +110 down to a worst-case -203 based on the weighted point value of each unmet control.

A perfect score of +110 indicates all 110 controls implemented. Controls are weighted at 5, 3, or 1 points based on impact, and missing controls subtract their full weighted value. Multifactor authentication, FIPS-validated encryption, and limiting access to authorized users carry 5-point weights and contribute disproportionately to score drops when missing.

For a tool that walks you through your own score calculation, use Petronella's free SPRS Calculator. This is the same methodology a C3PAO uses on their initial gap analysis pass, and we built it to match the DoD Assessment Methodology scoring rubric exactly.

Common transition mistakes from 800-171 to CMMC

Petronella's CMMC-RP team sees the same five to seven patterns across most engagements. None of these involve fabricated stats - they are observable in any honest C3PAO post-assessment debrief.

1. SSP that does not match the environment. The most common Level 2 finding. The SSP describes a 2018-vintage network; the actual environment has moved to Microsoft 365 GCC High, Azure Virtual Desktop, or a managed XDR stack with completely different boundaries.
2. POA&Ms with no closure dates. Or with closure dates that have passed. Under self-attestation this was tolerated. Under CMMC it is a finding.
3. FIPS-validated crypto claims without FIPS 140-2 or 140-3 certificate IDs. Saying "we use AES-256" is not the same as documenting the FIPS certificate number for the validated module. CMMC assessors will ask for the certificate.
4. MFA exceptions that swallow the control. Carving out "service accounts" or "legacy ERP" from MFA enforcement without compensating controls is a 5-point hit and not POA&M-eligible at Level 2.
5. Boundary diagram does not show the CUI flow. Network diagrams that show subnets but not where CUI enters, is processed, is stored, and exits the boundary will trigger findings on 3.13 family controls.
6. Subcontractor flowdown not documented. A prime cannot point at a subcontractor's SPRS posting; the prime is responsible for verifying the sub holds the right CMMC level.
7. Annual incident response tabletop not exercised. 3.6.3 requires testing the incident response capability. A signed plan with no exercise log is a finding.

For a tactical deep-dive on CUI handling specifically for subcontractors, see CUI handling for DoD subcontractors.

Petronella's CMMC and NIST 800-171 services

Petronella Technology Group is a Cyber AB Registered Practitioner Organization (RPO #1449) with a fully CMMC-RP credentialed delivery team. Craig Petronella, founder and lead RP, holds CMMC-RP, CCNA, CWNE, Digital Forensic Examiner #604180, and an MIT Certificate in Artificial Intelligence and Blockchain. The team operates from Petronella's Raleigh, NC headquarters at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606, with drivable on-site coverage across the Southeast (NC, SC, VA, GA, AL, FL, TN) and the broader Mid-Atlantic DMV region (DC, MD).

Engagements cover the full lifecycle: NIST 800-171 R2 gap assessment, SPRS scoring, SSP and POA&M development, ComplianceArmor documentation platform (From $497 per month for ongoing SSP / POA&M / affirmation evidence management), CMMC Level 1, Level 2, and Level 3 readiness, C3PAO pre-assessment, and post-assessment remediation. Petronella also operates a private AI infrastructure for clients handling CUI workloads that cannot legally use public AI services like ChatGPT or Claude.ai - a growing concern as engineering firms, machine shops, and defense subs ask whether AI tools can touch CUI data.

If you are evaluating an RPO, see ComplianceArmor for the documentation platform and CMMC compliance overview for service-level detail.

Frequently Asked Questions

Is CMMC Level 2 the same as NIST 800-171?

Practically yes for the technical control surface - CMMC Level 2 enforces the same 110 controls as NIST 800-171 R2. The difference is the assessment mechanism: CMMC adds C3PAO third-party verification, annual senior-official affirmation, POA&M closure timelines, and contractual flowdown enforcement under DFARS 252.204-7021.

Do I need CMMC if I am already NIST 800-171 compliant?

If your DoD contract references DFARS 252.204-7021 (the CMMC clause), yes. Self-attested 800-171 compliance is no longer sufficient for most CUI-handling contracts during the phased rollout that completes in 2028. You will need a C3PAO Level 2 certification for most prioritized-CUI contracts.

What is the difference between CMMC 2.0 and NIST 800-171?

CMMC 2.0 is the DoD program that uses NIST 800-171 R2 as its Level 2 control baseline, with Level 1 mapping to FAR 52.204-21 (15 controls for FCI only) and Level 3 layering NIST 800-172 enhanced controls on top of Level 2. NIST 800-171 itself is a NIST publication, not a DoD program.

How long does CMMC Level 2 certification last?

Three years, with annual senior-official affirmation in SPRS during the certification period. Recertification by a C3PAO is required at the three-year mark.

Can a subcontractor have a lower CMMC level than the prime?

Yes, if the subcontractor only handles a lower-sensitivity portion of the work. The prime is responsible for flowing the appropriate CMMC level to each subcontractor based on the CUI that subcontractor will actually touch. A subcontractor that handles no CUI at all may operate at Level 1 (FCI only).

What happens to my NIST 800-171 SPRS score after CMMC?

The SPRS score remains relevant during the CMMC phased rollout and continues to apply on contracts that have not yet incorporated DFARS 7021. Many contractors maintain both postings during the transition. Once a contract is fully under 7021, the CMMC certification status supersedes the standalone 800-171 self-assessment score for that contract.

Is NIST 800-171 Revision 3 in effect for CMMC?

No. The DoD has stated CMMC Level 2 will continue to assess against NIST 800-171 R2 until DFARS is updated to reference R3, which is not expected before 2027 at the earliest. Build your SSP against R2 unless a specific contract clause references R3.

What does Petronella's CMMC engagement typically cost?

From a starting point that depends on environment size, control gap depth, and whether the engagement includes ComplianceArmor documentation platform subscription. ComplianceArmor itself is From $497 per month for ongoing documentation management. Call (919) 348-4912 or visit our contact page for a custom-scoped quote.

Ready to move from NIST 800-171 to CMMC?

If you have a contract that references DFARS 252.204-7021, a prime asking about your CMMC plan, or an existing 800-171 SSP that has not been touched since the 2017 DFARS 7012 deadline, the right next step is a 30-minute scoping call with a credentialed CMMC Registered Practitioner. Petronella does not outsource CMMC delivery, does not white-label another firm's work, and does not refer Level 3 engagements elsewhere. The team that scopes your engagement is the team that runs it.

Call Petronella Technology Group at (919) 348-4912 or visit /contact-us/ to schedule a CMMC scoping call. For self-service tools, the SPRS Calculator gives you an honest DoD Assessment Methodology score in about 20 minutes, and CMMC compliance walks you through the full program detail.